.

[hktalent]

No description provided.

[Tyriar]

Oh we haven't published that addon yet, I'm guessing since you published your own we now need to change the name of the addon ☹️

[Tyriar]

Removing the install step in #4858

[Tyriar]

@hktalent we never announced nor released unicode-graphemes, additionally there's also a big warning at the top of the readme that using it might cause issues. I really don't think this is a problem.

[jerch]

@hktalent we never announced nor released unicode-graphemes, I really don't think this is a problem.

I second that.

CVEs are meant to inform about critical software bugs and vulnerabilities, not to inform ppl, that you rogue-sniped a package name we maybe would have used in the future (which is unfortunate for us, but no biggie). It is still the users responsibility to check the origin of a software package.
On a sidenote - in some countries your action might be liable to prosecution under certain anti-fraud terms.

@Tyriar I just talked about the issue with a friend - he suggested to check if we can open an org on npm and use a "@namespace" prefix on the npm packages (should be lockable on that org) to avoid these sort of issues in the future.

[Tyriar]

@jerch 👍 created https://www.npmjs.com/org/xtermjs

[Tyriar]

I just realized I had already created https://www.npmjs.com/org/xterm in the past

[jerch]

Well tricky part prolly is to get that namespace thingy rolling? Idk how that works, would that turn xterm into @xterm/xterm? (or @xtermjs/xterm, if you prefer the js in the name...)

[Tyriar]

@jerch created #4859 to discuss - since it's npm js, let's go with @xterm

[Tyriar]

@hktalent thanks for bringing this to our attention though, the project is definitely better/safer thanks to your report ❤️

[davidfiala]

FYI, an article popped up today in a daily newsletter I receive from https://tldr.tech/ linking to https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/

It appears that the individual here also registered xterm-addon-clipboard but neglected to report it here. It too contains a live reverse shell virus (the reverse shell part is obfuscated, but I observed it to be very real in a test environment)

https://www.npmjs.com/package/xterm-addon-clipboard?activeTab=code

https://www.npmjs.com/package/xterm-addon-unicode-graphemes?activeTab=code

Although there is not a CVE here, I would recommend possibly contacting NPM repos and requesting they take them down to avoid accidental installs.

[jerch]

@davidfiala Thx for bringing this to our attention. Do you happen to have some insights about what the malware exactly does? It might also be a good idea to save log files, just in case this gets into a real law waters.

@Tyriar We prolly should flag these packages as malware on npm via this form: https://www.npmjs.com/support?inquire=security&security-inquire=malware&package=xterm-addon-clipboard&version=6.0.4 Or if you have any way to contact npm peeps, whatever works here...

Edit: @davidfiala Nevermind, the phylum article has a deeper walkthrough on it...

[Tyriar]

Little annoying that the package names were getting sniped, including future ones coming in PRs #4220. But anyway, the problem is fixed now that we're using scoped.

I reported the packages, though it would have been better to get a heads up rather than actually publishing a reverse shell.

[jerch]

@hktalent If you are looking for collecting bounties here - sorry you are barking up the wrong tree. This project is fully voluntary OSS-driven, we have lit. 0 bucks at disposal.