Malicious NPM packages
2025-05-23 00:56:12.430241+02 by Dan Lyke 0 comments
Destructive malware available in NPM repo went unnoticed for 2 years, interestingly they had date triggered destructive behavior, which makes me wonder if there's some deeper "when you try to reconstruct your machine after the destruction, it loads deeper payload" sort of game at play.
Just deleting shit is so 1992 or something...
The affected packages were: js-bomb js-hood vite-plugin-bomb-extend vite-plugin-bomb vite-plugin-react-extend vite-plugin-vue-extend vue-plugin-bomb quill-image-downloader