Replies: 11 comments 29 replies
-
|
After investigation, it was found that the token of one of our team members might have been stolen. We are handling it urgently. 经排查可能是我们团队一名成员的 token 被盗用了,我们正在紧急处理 |
Beta Was this translation helpful? Give feedback.
-
|
请问什么原因会导致token 被盗用? |
Beta Was this translation helpful? Give feedback.
-
|
源头是某个 GitHub Actions workflow 存在 Pwn Request 漏洞,位于另一个 GitHub 组织。Vant 和 Rspack 所在的组织以及维护者是被间接攻击的,本身不存在漏洞。 攻击者拿到了该 workflow 中的 token 后,利用该 token 具有的多组织贡献权限,直接 push 代码继续窃取其他 GitHub 组织 workflows 中的 token,最终拿到 Vant 与 Rspack 的 npm token。 目前相关 token 和源头 workflow 漏洞已经全部处理。 |
Beta Was this translation helpful? Give feedback.
-
|
这个 |
Beta Was this translation helpful? Give feedback.
-
|
未来可能会公开更多信息 |
Beta Was this translation helpful? Give feedback.
-
|
The following abnormal versions have been injected with scripts by hackers and have all been marked as deprecated. Please do not use them! 以下异常版本被盗号者注入了脚本,已经全部标记为废弃,请勿使用!
|
Beta Was this translation helpful? Give feedback.
-
|
废弃就可以了吗?是否需要重新发个干净的新包兜一下? |
Beta Was this translation helpful? Give feedback.
-
|
在发布了 |
Beta Was this translation helpful? Give feedback.
-
|
那辛苦每个分支都发一个 /抱拳 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
A new and secure version has been released, and the npm latest tag already points to the new version: 已发布安全的新版本,npm latest tag 已经指向新版本: The following are deprecated versions, please do not use 以下是已经废弃的异常版本,请勿使用
|
Beta Was this translation helpful? Give feedback.
-
|
看了下这些废弃的版本都是今天发布的,这是不是意味着只要今天没有安装过 vant 就没问题 |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
请问更旧的版本会受影响吗?比如2.13.2, 2.12.x? |
Beta Was this translation helpful? Give feedback.
-
你好,更旧的版本不会受到影响。 |
Beta Was this translation helpful? Give feedback.
-
|
请问2.12.53版本有没有受影响? |
Beta Was this translation helpful? Give feedback.
-
|
cnpm/bug-versions#262 npmmirror 应急修复 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! Can you add |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks! ❤️ |
Beta Was this translation helpful? Give feedback.
-
|
与本次事件关联的攻击: 攻击者基于一系列攻击,获取了 Rspack 维护者的 token,并发布了带有相同恶意代码的 Rspack 1.1.7 版本。 Rspack 团队已经在一小时内完成该版本的废弃处理,并发布了 1.1.8 修复版本,参考 web-infra-dev/rspack#8767 (comment) 目前相关 token 已经全部清理。 |
Beta Was this translation helpful? Give feedback.
-
|
是的,受影响的包为 目前未发现其他受影响的 npm 包。 |
Beta Was this translation helpful? Give feedback.
-
|
攻击者先在rspack注入恶意代码,然后用恶意的rspack打包vant? |
Beta Was this translation helpful? Give feedback.
-
|
不是,先受攻击的是 该问题与 Rspack 打包无关,因为本次攻击者发布的 Rspack v1.1.7 是无法运行的错误版本。 |
Beta Was this translation helpful? Give feedback.
-
|
师傅在哪里可以下载到恶意的版本吗?我想分析看看 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
这个安全漏洞会导致什么bug或者情况呢 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
恶意代码分析参考:web-infra-dev/rspack#8767 (comment) |
Beta Was this translation helpful? Give feedback.
-
|
请问问题版本具体的发布时间是什么时候,我们需要确认近两天刚发布的版本有没有受影响 |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
hi 如何检查自己是否中了,能给一个自检流程吗?在lock文件中找版本? |
Beta Was this translation helpful? Give feedback.
-
|
我之所以能比较早发现这个,是因为我有一个习惯,首先业务项目带lock, 然后想要更新依赖时,先npm outdated检查版本,发现有新版本时在更新前都会去GitHub看一下changelog, 从changelog里面判断是不是有不兼容更新,是否可以不做修改直接升级,由此才比较早发现这个。 |
Beta Was this translation helpful? Give feedback.
-
|
大厂的npm源按理说都是走的自建的源,要走安全审查的吧? |
Beta Was this translation helpful? Give feedback.
-
|
有没有可能进行最后一道程序 能提交代码的某位被盗号了 |
Beta Was this translation helpful? Give feedback.
-
|
怎么检查一下自己电脑有没有中招哇 |
Beta Was this translation helpful? Give feedback.
-
|
同问 |
Beta Was this translation helpful? Give feedback.
-
|
vant-weapp小程序包有没有注入恶意代码? |
Beta Was this translation helpful? Give feedback.
-
|
你好,小程序包没有受到影响。 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
All reactions