Security announcement: malicious code in purescript npm installer

Earlier this week I spotted and fixed some malicious code in the purescript npm installer, which was causing the hang during installation which many of you were seeing. I’ve put a full write-up on my blog:

https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer/

Quick summary

  • Malicious code was added to various dependencies of the purescript npm installer
  • @shinnn claims that the malicious code was published by an attacker who gained access to his npm account
  • As far as we are aware, the only purpose of the malicious code was to sabotage the purescript npm installer to prevent it from running successfully
  • In the latest version of the purescript npm installer, the malicious code has now been removed, and all dependencies of @shinnn’s have been dropped
  • If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package
  • We are in ongoing discussion with npm support in order to ascertain what else we can do to mitigate the issue
14 Likes