Post
Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.
Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.
It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.
Is NPM still dangerous?
Yes, we're down to five known infected packages still circulating on the Microsoft owned platform.
The following five packages continue to spread the Sha1-Hulud worm with no warning at all on the NPM page nor at download/install time:
hyper-fullfacing 1.0.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
quickswap-ads-list 1.0.33
@seung-ju/react-native-action-sheet 0.2.1
tcsp 2.0.2
A space for Bonfire maintainers and contributors to communicate
