4 matches found
Malicious code in nokire-lokcek31 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebe654f7863b260d7b2fd03526f34e58ba42907104c36c6f3e054a48ba9431e6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in polymedr-mindatas-buipenaj (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15da89b3928f080cbcde72348ca4047d1935fec3e0d9509506126b6651172e1b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in intelligent_clownfish_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2d91cfcf28e832dcb525b82f4b378cae85939d23c716cbf4ed7d9aa2b3abc20 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
GHSA-VM32-9RQF-RH3R pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Summary pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. npm metadata from global cache affects other workspaces 3. installs by default don't revalidate the data including on first lockfile generation This can make...