[dudeinjapan]

Are you affected? Run the affected program. OK, now you are definitely affected.

[littlecranky67]

Says the malware is in a post-install script - that will not be called by nx, but i.e after an npm install

[reactordev]

Consider anything pre or post attached to the package as tainting the package.

[SoftTalker]

Consider your entire system tainted, nothing is trustworthy at this point. Wipe and rebuild from known good media.

[littlecranky67]

The malware is "luckily" written in javascript and such quite easy to analyse. No manipulation outside of .zshrc or .bashrc and a temp txt file.

[tsukikage]

That's what the code you can see now does. It may or may not be the same as what ran.

[littlecranky67]

Nope, because the script was commited to upstream and you can review what ended in the package.

It seems a lot of general "wisdom" here is thrown by people who have not looked into this particular incident or are unfamiliar with js node dev in general.

[dudeinjapan]

Oh good. I guess running the actual program was too many steps.

[baxtr]

It might be even better than that:

Create a blog post about a security issue. Post it on HN and get upvotes. Find people who believe they might be affected. Let them run the affected program. Boom.

[ghurtado]

Either I've grown old and bitter enough that I think this is likely the case, or this is just a rational take and most likely what happened.

I'm not sure which is worse.