Malicious Package in shrugging-logging
Critical severity
GitHub Reviewed
Published
Sep 11, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 11, 2020
Last updated
Jan 9, 2023
All versions of
shrugging-logging
contain malicious code as a postinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking,Recommendation
Remove the package from your system. If you own any packages that were compromised please contact npm security immediately at security@npmjs.com. Also enable 2FA for publishing to further secure packages you maintain.
References