Earlier this week I spotted and fixed some malicious code in the purescript npm installer, which was causing the hang during installation which many of you were seeing. I’ve put a full write-up on my blog:
https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer/
Quick summary
- Malicious code was added to various dependencies of the purescript npm installer
- @shinnn claims that the malicious code was published by an attacker who gained access to his npm account
- As far as we are aware, the only purpose of the malicious code was to sabotage the purescript npm installer to prevent it from running successfully
- In the latest version of the purescript npm installer, the malicious code has now been removed, and all dependencies of @shinnn’s have been dropped
- If you want to be absolutely sure you do not have malicious code on your machine, you should delete your
node_modulesdirectories and yourpackage-lock.jsonfiles, and set a lower bound of0.13.2on thepurescriptpackage- We are in ongoing discussion with npm support in order to ascertain what else we can do to mitigate the issue