-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHSA-gwjw-ph82-w683 - Malware in duo_web_sdk #2701
Comments
The advisory refers to the npm package here |
@pidydx any further questions here or shall we close this issue down? |
@darakian Thanks for the explanation! @KateCatlin I ran into this problem because
But the package.json involved isn't pointing at that package. https:/bitwarden/clients/blob/e9f0c07b02c539a365bb68c678c31f1ba4e04dd8/package.json#L173C53-L173C53 I'm not super familiar with the npm ecosystem, but it sounds like it might be a bug elsewhere so this is probably fine to close. It might be worth it to add that package link to the advisory to make it clear what the advisory is referring to since duo publishes their own duo_web_sdk. Thanks! |
@pidydx Ah, interesting. I think you've stumbled on a bug in npm doing package resolution where it thinks the package is coming from |
@KateCatlin should be good, I will close. @darakian They way I stumble onto bugs this would not surprise me. Thanks all! |
As far as I can tell duo_web_sdk is deprecated, but it is Duo's code and not malware. https:/duosecurity/duo_web_sdk
Can anyone explain why this advisory exists because the advisory itself has no references and simply claims it is all malware and I can't find any reference anywhere else suggesting that this package has ever been compromised or hijacked.
The text was updated successfully, but these errors were encountered: