KateCatlin
commented
10 months ago Hi @cian-personio,
Thanks for reaching out with this! Unfortunately, npm malware advisories are a bit out of our hands. We rely on npm to update and/or eliminate them.
It sounds like you're already in touch with npm support, so I encourage you to reach back out to them to resolve the issue.
Sorry we can't be more help! I'm going to close this issue as there's nothing more we can do.
This is in relation to https://github.com/advisories/GHSA-8m6q-xfx2-69c2
The package in question is an internal package - and was the target of an NPM Dependency Confusion attack in August 2022. At the time of the attack we reviewed our internal repositories and found no evidence of a breach as all the internal repositories were pointing to our internal repo and hence were not affected.
We got in touch with the NPM team immediately after becoming aware of the issue and the package was taken down and a security placeholder was put in its place. We also got the domains that the malicious package was communicating with taken down.
Is it possible to get this advisory removed as it is an internal package and a placeholder has been in its place since August 2022?
If not, can adjustments be made to the 'Affected Versions'? Currently, this advisory says that any version > 0 is affected. Version 0.0.4 was the last affected version (affected versions were 0.0.2 -> 0.0.4) on the public registry before the Security Placeholder was added.
If any additional information is needed, please let me know.