
Unpkg.com hacked? - benaiah
I&#x27;ve checked on both my local machine and on a VPS I run, and the following URL is 302 redirecting to a malicious JS script which pops up a confirmation window and then redirects to ads:<p>SOURCE URL: https:&#x2F;&#x2F;unpkg.com&#x2F;react@latest&#x2F;dist&#x2F;react.js
MALICIOUS REDIRECT: https:&#x2F;&#x2F;compliance-jessica.xyz&#x2F;a.php<p>This is the URL recommended for in-browser development use by https:&#x2F;&#x2F;facebook.github.io&#x2F;react&#x2F;docs&#x2F;installation.html<p>Can anyone else replicate this?
======
NuclearFishin
Looks like there was indeed an issue with a bad nameserver update:

[https://twitter.com/unpkg/status/852660203275276289](https://twitter.com/unpkg/status/852660203275276289)

------
Erd0s6
I was having this issue to but all good now. Should I be concerned about my
computer being infected from this? Virus scans don't find anything

------
davidjgraph
unpkg are reporting this as fixed.
[https://twitter.com/unpkg/status/852668919768694784](https://twitter.com/unpkg/status/852668919768694784).

We got hit pretty hard for the 50 minutes or so the problem existed, Dropbox
host their JS SDK lib on there...

------
davidkhess
Seeing the same thing when trying to load Vue.

Tweet from them:

[https://twitter.com/unpkg/status/852655106562564098](https://twitter.com/unpkg/status/852655106562564098)

> We're experiencing some issues and working on it. Will post updates here as
> soon as we know more.

~~~
benaiah
Yeah, one of the Twitter replies seems to indicate this is a widespread issue.

EDIT: apparently it was a bad nameserver update:
[https://twitter.com/unpkg/status/852658357034827776](https://twitter.com/unpkg/status/852658357034827776)

~~~
davidkhess
Hhhmmm. According to DNS, I'm talking straight at a Cloudflare IP and getting
a redirect to adware when trying to load Vue.

Evidence here: [https://pastebin.com/wVCABkaA](https://pastebin.com/wVCABkaA)

------
CorySimmons
We got close to trending on HackerNews yesterday when this happened.

Suddenly every visitor was reporting alert dialogs saying they had a virus and
our votes dropped off a cliff.

Last time I ever go against my gut and semi-trust anything.

------
himlion
Use subresource integrity and this would have affected you less. Still a non
functioning site unfortunately.

------
DorianDevelops
Sucks just got this on my github portfolio page that I put up a few days ago.

Any way to fix???

~~~
benaiah
Certainly - download the original version of whatever scripts you're using and
host them from your own domain, instead of unpkg.

~~~
shanecleveland
Create fallbacks for future cases: [https://css-
tricks.com/snippets/jquery/fallback-for-cdn-host...](https://css-
tricks.com/snippets/jquery/fallback-for-cdn-hosted-jquery/)

------
murftown
Yes, I experienced the same thing.

------
svdpeijl
here too - same thing.. this is ridiculous what a HUGE blunder on unpkg.com
part

