On Fri, Jun 12, 2026 at 03:03:37PM +0200, koraynilay wrote: > welp, running > git log --all --since="10 hours ago" -p -S js-digest --decorate=full | > /bin/grep -Po '(?<=origin/).*(?=\))' > yields ~900 packages[1], quickly skimming through the logs they all seem > to be malicious like the last wave. > > I do see the number decreasing almost each time I run it, but I feel I > should still send the latest list I got. > These are 879 packages.
[...] Wow, the number increased in a couple of hours since I initially posted. Now the malicious package is called lockfile-js (renamed from atomic-lockfile). [1] https://www.npmjs.com/package/lockfile-js
