| ▲ | bstsb 4 days ago | |
looks like it won't affect you if you just downloaded the packages locally. the actual code only runs in a browser context - it replaces all crypto addresses in many places with the attacker's. a list of the attacker's wallet addresses: https://gist.github.com/sindresorhus/2b7466b1ec36376b8742dc7... | ||
| ▲ | pingou 4 days ago | parent | next [-] | |
I wonder why they didn't add something more nefarious that can run on developers machines while they were at it, would it have been too easy to see? It was caught very quickly anyway. | ||
| ▲ | smoovb 3 days ago | parent | prev | next [-] | |
Etherscan has tagged these addresses already. As of this check, none of the other block explorers have. Etherscan - yes - https://etherscan.io/address/0x4Cb4c0E7057829c378Eb7A9b174B0... Mempool.space - no Blockchair - no Tronscan - no Blockcypher.com - no Blockread.io - no | ||
| ▲ | keepamovin 4 days ago | parent | prev [-] | |
that will still affect users of your website that uses these packages, tho. | ||