GMS-2020-223: Malicious Package

September 2, 2020 (updated September 30, 2021)

The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems. Remove the package from your environment and perform additional incident response on your system’s files and processes.

References

github.com/advisories/GHSA-w3f3-4j22-2v3p
www.npmjs.com/advisories/890

Detect and mitigate GMS-2020-223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →