Skip to content

Instantly share code, notes, and snippets.

@azu

azu/colors-incident.md Secret

Last active January 10, 2022 23:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save azu/32e2eaca5b85d9176b7be6d4f99b5cdf to your computer and use it in GitHub Desktop.
Save azu/32e2eaca5b85d9176b7be6d4f99b5cdf to your computer and use it in GitHub Desktop.
Download ZIP
colors.js 1.4.1, 1.4.2 embed malware code. [Reported to npm]
Raw
colors-incident.md

colors.js(npm: colors) include malware code. Marak/colors.js#285

Affected Versions:

  • 1.4.2
  • 1.4.1
  • 1.4.44-liberty-2

This package author is marak https://www.npmjs.com/~marak. It looks like marak has malicious intent. Marak has deleted dabh@stanford.edu from package's owner before publishing malware versions. https://deps.dev/npm/colors/1.4.2

This incident affect svarious packages like winston, http-server, cypress, karma, aws-cdk.

Also, marak can access many packages. https://gist.github.com/azu/11b105a9e35dc9d5f07312c24a35c82b

Please consider to treat it as security vulnerability.

@azu
Copy link
Author

azu commented Jan 10, 2022

GHSA-5rqg-jm4f-cqx7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment