Comment by joaomoreno
3 months ago
From sindresorhus:
You can run the following to check if you have the malware in your dependency tree:
`rg -u --max-columns=80 _0x112fa8`
Requires ripgrep:
`brew install rg`
https://github.com/chalk/chalk/issues/656#issuecomment-32668...
Sorry, I am unfamiliar with ripgrep. Is this simply scanning for the string `_0x112fa8`? Could we do the same thing with normal grep -r?
yes. ripgrep just does it faster, is all.
But also respects .gitignore by default so I’m not sure you want to use ripgrep to scan your node_modules
3 replies →
Make it work, make it right, make it fast.
For security checks, the first 2 out of 3 is just fine.
1 reply →
[flagged]
I feel like you were trying to help here, but anyone can do this for themselves. Providing information in this way sort of indicates that you don't believe that the person you're replying to can do it on their own, and for that reason it's considered rude.
7 replies →
Asking people to run random install scripts just feels very out of place given the context.
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
Anyone can upload an NPM package without much review. For Homebrew, you at least have to submit a pull request.
4 replies →
APT repos for Debian, Trisquel, Ubuntu... require far more checkings and bureaucracy.
7 replies →
> don't we consider things like `brew` to be sufficiently low-risk,
Like ... npm?
8 replies →
ripgrep is quite well known. It’s not some obscure tool. Brew is a well-established package manager.
(I get that the same can be said for said for npm and the packages in question, but I don’t really see how the context of the thread matters in this case).
Try the same recursive grep on ~/.npm to see if you have it cached too. Not just the latest in the current project.
Haven't installed any modules today, but I ran these commands to clear caches for npm and pnpm just to be safe.
npm cache clean --force pnpm cache delete
You probably want to check before you clear cache
Here's something I generated in my coding AI for Powershell:
`Get-ChildItem -Recurse | Select-String -Pattern '_0x112fa8' | ForEach-Object { $_.Line.Substring(0, [Math]::Min(80, $_.Line.Length)) }`
Breakdown of the Command:
- Get-ChildItem -Recurse: This command retrieves all files in the current directory and its subdirectories.
- Select-String -Pattern '_0x112fa8': This searches for the specified pattern in the files.
- ForEach-Object { ... }: This processes each match found.
- Substring(0, [Math]::Min(80, $_.Line.Length)): This limits the output to a maximum of 80 characters per line.
---
Hopefully this should work for Windows devs out there. If not, reply and I'll try to modify it.
Or you can just install ripgrep on windows too and have it check much faster ;)
If it produces no output, does that mean that there's no code that could act in the future? I first acted out of nerves and deleted the whole node-modules and package.lock in a couple of freshly opened Astro projects, curious if I should considered my web surfing to still be potentially malicious
The malware introduced here is a crypto address swapper. It's possible that even after deleting node_modules that some malicious code could persist in a browser cache.
If you have crypto wallets on the potentially compromised machine, or intend to transfer crypto via some web client, proceed with caution.
convenience script that checks through package.json dependency tree + a couple malicious binary patterns:
https://gist.github.com/edgarpavlovsky/695b896445c19b6f66f14...
doesn't work for monorepos
[dead]