NPM debug and chalk packages compromised
If you deployed any Node app in the last 30 days you may be serving malware right now. Attackers slipped a back-door into chalk, debug, ansi-regex and 15 other ultra-popular packages that sit *everywhere* in your dependency tree. The poisoned versions look normal in CI logs but steal credentials and environment variables at runtime. One-liner to check your lockfile and the exact clean versions are inside. Patch today—your next npm install is too late. https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
aikido.dev · 3 min read