2 comments

[ 4.5 ms ] story [ 14.9 ms ] thread
(comment deleted)
Sounds like the attacker is getting pretty smart about this stuff too. They have a self-hosted registry with the offending package so it can't get yanked from the actual npm registry

>The attackers now host the attack from mave-finance/next-assessment. The malicious dependency is json-mock-config-server which is not listed in the npm registry, but rather is served from npm.mave.finance as before, the registry listed in .npmrc.