GMS-2020-235: Malicious Package

September 2, 2020 (updated September 30, 2021)

The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Remove the package from your environment.

References

github.com/advisories/GHSA-73hr-6785-f5p8
www.npmjs.com/advisories/887

Detect and mitigate GMS-2020-235 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →