This gist previously contained a draft version of my post announcing the malicious code in the purescript npm installer.
You can now find the published post on my blog: https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer
Last active
August 8, 2019 12:51
-
-
Save hdgarrood/5735886b7704389de5ef379413c00d78 to your computer and use it in GitHub Desktop.
I see. Also, did npm not email you when load-from-cwd-or-npm@3.0.2 and rate-map@1.0.3 were published?
Ok. thanks. I also noticed that load-from-cwd-or-npm@3.0.2 is accompanied by a commit in GitHub which seems to indicate that it was published by someone with access to your github SSH key: shinnn/load-from-cwd-or-npm@5be252c. Was that commit made by you or was your github SSH key compromised as well?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So just to be clear, are you saying that you didn’t have 2FA for npm set up until just now, despite the fact that you reminded us that we should enable it a few weeks ago, on the issue in the
node-purescriptrepo where I suggested transferring the npm package?