Text copied from plone.org advisory.
What happened?
It has come to our attention that there has a security incident affecting multiple npm packages under ownership of npm user ~qix. An attacker was able to gain control over the packages for a short period of time and injected code aimed at stealing login credentials and reroute crypto currency transaction into different wallets. For more information on the details see this blogpost on aikido.dev. The affected packages are:
- backslash
- chalk-template
- supports-hyperlinks
- has-ansi
- simple-swizzle
- color-string
- error-ex
- color-name
- is-arrayish
- slice-ansi
- color-convert
- wrap-ansi
- ansi-regex
- supports-color
- strip-ansi
- chalk
- debug
- ansi-style
How does it affect Plone?
For the Plone ecosystem the incident should have only very limited affect as in the volto core of the affected packages only the debug packageis actually used for actual builds. This is pinned to an unaffected version. All other compromised packages are not used in the Volto core.
What actions do I have to take?
In most cases none. But we still advise you to clean caches and node_modules, and install again in dev machines, or rebuild deployments.
If you maintain one or more frontend addons we advise you to check if you use any of the affected dependencies, especially without a version pin. If you do, pin the package to a version and realease an update of your addon.