Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects(socket.dev)
socket.dev
Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects
https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos
6 コメント
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
All Composer packages (but the malicious part is in the node dependency)
Effected*
> Use effect as a noun to refer to a change resulting from something.
Effected*
> Use effect as a noun to refer to a change resulting from something.