GMS-2020-432: Malicious Package

September 3, 2020 (updated September 29, 2021)

of pizza-pasta contains malicious code as a install scripts. The package created folders in the system’s Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console. Remove the package from your environment. There are no evidences of further compromise.

References

github.com/advisories/GHSA-wxrm-2h86-v95f
www.npmjs.com/advisories/1196

Detect and mitigate GMS-2020-432 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →