[ggreer]

Note that the only vulnerable version was @vue/cli v5.0.2, which was intended to pin the version of node-ipc to v9.2.1 but accidentally allowed versions greater than that: https://github.com/vuejs/vue-cli/commit/37ef809c873f33c88ba7...

The mistake was fixed within 6 minutes: https://github.com/vuejs/vue-cli/commit/b0d931668e7e8450a285...

It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.

1. https://www.npmjs.com/package/@vue/cli?activeTab=versions

2. https://vuejs.org/guide/quick-start.html

3. https://github.com/vuejs/create-vue