holy crap:
On July 19, 2025, the package's primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.
So, is that just a 'developer' component, or have I got to analyse all my systems now for the NPM components in the article's list?
Little late to the party here, and I'm not primarily a js dev, but... yes. It looks like it's one of those syntactic sugar kind of packages that devs love to use. The bonus here is you can probably use a find-grep kind of process to check package-lock.json for references to the package. (there might be an npm command, but like I say - not a js dev.)
For example:
$ grep \"is\"\: package-lock.json
"is": "^3.3.0",
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world