| ▲ | ameliaquining 4 days ago |
| If a dev doesn't happen to run npm install during the period between when the compromised package gets published and when npm yanks it (which for something this high-profile is generally measured in hours, not days), then they aren't going to be impacted. So an attacker's patience won't be rewarded with many valid credentials. |
|
| ▲ | giveita 3 days ago | parent [-] |
| Dev, or their IDE, agent, etc. |
| |
| ▲ | komali2 3 days ago | parent [-] | | Their build chain, CI environment, server... | | |
| ▲ | ameliaquining 3 days ago | parent [-] | | npm ci wouldn't trigger this, it doesn't pick up newly published package versions. I suppose if you got a PR from Dependabot updating you to the compromised package, and happened to merge it within the window of vulnerability, then you'd get hit, but that will likewise not affect all that many developers. Or if you'd configured Dependabot to automatically merge all updates without review; I'm not sure how common that is. |
|
|
