GMS-2020-409: Malicious Package

September 3, 2020 (updated September 30, 2021)

All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system’s memory. Remove the package from your environment and validate what packages are installed.

References

github.com/advisories/GHSA-38vq-cjh5-vw7x
www.npmjs.com/advisories/1074

Code Behaviors & Features

Detect and mitigate GMS-2020-409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →