colors.js(npm: colors
) include malware code.
Marak/colors.js#285
Affected Versions:
- 1.4.2
- 1.4.1
- 1.4.44-liberty-2
This package author is marak https://www.npmjs.com/~marak. It looks like marak has malicious intent. Marak has deleted dabh@stanford.edu from package's owner before publishing malware versions. https://deps.dev/npm/colors/1.4.2
This incident affect svarious packages like winston, http-server, cypress, karma, aws-cdk.
- winstonjs/winston#2010
- http-party/http-server#783
- cypress-io/cypress#19622
- karma-runner/karma#3738
- aws/aws-cdk#18322
Also, marak can access many packages. https://gist.github.com/azu/11b105a9e35dc9d5f07312c24a35c82b
Please consider to treat it as security vulnerability.
GHSA-5rqg-jm4f-cqx7