On Fri, Jun 12, 2026 at 03:03:37PM +0200, koraynilay wrote:
> welp, running
> git log --all --since="10 hours ago" -p -S js-digest --decorate=full | 
> /bin/grep -Po '(?<=origin/).*(?=\))'
> yields ~900 packages[1], quickly skimming through the logs they all seem
> to be malicious like the last wave.
> 
> I do see the number decreasing almost each time I run it, but I feel I
> should still send the latest list I got.
> These are 879 packages.

[...]

Wow, the number increased in a couple of hours since I initially posted.

Now the malicious package is called lockfile-js (renamed from
atomic-lockfile).

[1] https://www.npmjs.com/package/lockfile-js

Reply via email to