GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
Examine dependencies and installation scripts. Very recently published, net-new packages, or scripts or dependencies that make network connections during installation should receive extra scrutiny.
I’m a little surprised npm doesn’t already do this and give you a big blinking warning in the install process about it.
I’m a little surprised npm doesn’t already do this and give you a big blinking warning in the install process about it.