Remix.run Logo
beart 3 hours ago

It has nothing to do with npm. However, a binary could be configured to extract your git/npm secrets using this exploit, which could then lead to a npm supply chain attack (or pip, etc. etc.).

awongh 2 hours ago | parent [-]

I meant the attack would be the other way around- if an infected package had the git.exe file in their root.

Or, the infected package could also copy that file into the parent project's root.

beart 2 hours ago | parent [-]

Oh yeah that's a good point - two layers of auto executing scripts/binaries.