-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Information about security issue #282
Comments
Locking this thread until a @conventional-changelog/conventional-changelog core team member can respond to the question. |
What happenedA core contributor to the Using these credentials, a malicious version of As soon as this issue was reported to us, we published patch versions of all During this publication, it turned out that As soon as this publication error was observed, a new version of the offending library was published and it was validated that Lerna was again functioning appropriately. Did this impact me?If you installed Lerna, standard-version,
We advice killing this process and removing this executable. Nothing is in place to actively restart this executable, and your system should be safe as soon as these actions are taken. Actions that will be taken
CC: @stevemao, @Tapppi, @kentcdodds, @jimthedev update: it looks like commitizen was not using conventional-changelog directly, and was likely not effected. |
The malicious code was to be executed when the exported
The shell code that was executed by the package (converted to multi-line to display steps):
Miner executable SHA256: Virus total report for the miner file: https://www.virustotal.com/#/file/28d5f75e289d652061c754079b23ec372da2e8feb1066a3d57381163b614c06c/detection |
@bcoe I am looking for the dependency path between conventional-changelog and commitizen. Is there a direct one or was the person whose credentials were used have push access to both? |
I see. Thanks for the update and fixing it so quickly. It would also be nice if Lerna could support the npm lockfile. |
@bcoe thanks for the fast reaction and good followups. 💯 Also thanks pavel for the extra info. 🙂 |
@jimthedev I apologize, it looks like commitizen was most likely not effected; as it didn't use |
Cheers. Either way thank for for the communication. |
I have install standard-version on a windows machine. Does it impact and how can I fix that? |
@sandangel Windows machines should be fine. You can verify your %COMSPEC% just to be sure, if it has path to |
Just to clarify: the malicious code is not triggered via Potentially, changelog related functionality of requiring packages is affected, but it depends on how affected requiring packages use If you was affected by the malicious package I advise checking SHA256 of the executable prior to removing the file. The executable at the URL that the packaged script was using, may had been changed to serve a different file. |
In what way does Lerna not "support" Your root dependencies (where |
@evocateur |
@evocateur we use hoisting and last time I tried it didn't quite work properly. Maybe it's been fixed now? |
cc @pdehaan |
cc @fwhite-wsm |
heads up I've submitted this to the Snyk Vulnerability DB |
I don't see any patches to conventional-changelog-lint -- was that intentional? |
Oh, I see that its in a different repo. |
Submitted to https://nodesecurity.io/report /cc @evilpacket |
Going ahead and closing this issue, we have an ongoing conversation here about enabling 2FA. |
Will there be an official announcement regarding this issue from It would seem like good practice to announce this or even send an email to all your customers, even if it's not NPM's fault. It's not about blame, but about ensuring that everyone is safe. |
@TimBeyer I'll talk to my peers at npm about this ... I could imagine potentially having a section of our weekly newsletter that brings critical security vulnerabilities from modules in the ecosystem to people's attention. |
Did this receive an entry in https://www.npmjs.com/advisories? I've been unable to find anything and both https://www.npmjs.com/advisories?search=conventional-changelog and https://www.npmjs.com/advisories?search=conventional-changelog-preset-loader return no results. |
@straub I'm no longer in close proximity to manage that data as of today but @andreeleuterio might be able to help. ✌️ |
It was mentioned that a hacked version of the project was published.
Please can you provide more information about this and what it did? E.g Was it self contained or did it install itself somewhere outside of node_modules?
#279 (comment)
Thanks
The text was updated successfully, but these errors were encountered: