Beware of which package you install, "jQuery-QueryBuilder" is NOT a malware

mistic100 / jQuery-QueryBuilder

jQuery plugin offering an interface to create complex queries

https://querybuilder.js.org

MIT License

1.68k stars 552 forks source link

Beware of which package you install, "jQuery-QueryBuilder" is NOT a malware #952

Closed Prophecy35363 closed 2 years ago

Prophecy35363 commented 2 years ago

Received a github advisory stating that this library is malware but I can't find any evidence as to why. Do people think there is any truth to this?

Cashewz commented 2 years ago

A malicious package with the same name (written in lowercase) exists, that causes this issue.

see https://github.com/github/advisory-database/issues/419#issuecomment-1160928395

mistic100 commented 2 years ago

Thank you both for the report, I pinned the issue.

For anyone landing here, this library is named jQuery-QueryBuilder (with uppercases). jquery-querybuilder contained malicious code and was removed by npm team.