Hacker News new | past | comments | ask | show | jobs | submit login
Unpkg.com hacked?
20 points by benaiah on April 13, 2017 | hide | past | favorite | 13 comments
I've checked on both my local machine and on a VPS I run, and the following URL is 302 redirecting to a malicious JS script which pops up a confirmation window and then redirects to ads:

SOURCE URL: https://unpkg.com/react@latest/dist/react.js MALICIOUS REDIRECT: https://compliance-jessica.xyz/a.php

This is the URL recommended for in-browser development use by https://facebook.github.io/react/docs/installation.html

Can anyone else replicate this?

Looks like there was indeed an issue with a bad nameserver update:


I was having this issue to but all good now. Should I be concerned about my computer being infected from this? Virus scans don't find anything

unpkg are reporting this as fixed. https://twitter.com/unpkg/status/852668919768694784.

We got hit pretty hard for the 50 minutes or so the problem existed, Dropbox host their JS SDK lib on there...

Seeing the same thing when trying to load Vue.

Tweet from them:


> We're experiencing some issues and working on it. Will post updates here as soon as we know more.

Yeah, one of the Twitter replies seems to indicate this is a widespread issue.

EDIT: apparently it was a bad nameserver update: https://twitter.com/unpkg/status/852658357034827776

Hhhmmm. According to DNS, I'm talking straight at a Cloudflare IP and getting a redirect to adware when trying to load Vue.

Evidence here: https://pastebin.com/wVCABkaA

We got close to trending on HackerNews yesterday when this happened.

Suddenly every visitor was reporting alert dialogs saying they had a virus and our votes dropped off a cliff.

Last time I ever go against my gut and semi-trust anything.

Use subresource integrity and this would have affected you less. Still a non functioning site unfortunately.

Sucks just got this on my github portfolio page that I put up a few days ago.

Any way to fix???

Certainly - download the original version of whatever scripts you're using and host them from your own domain, instead of unpkg.

Yes, I experienced the same thing.

here too - same thing.. this is ridiculous what a HUGE blunder on unpkg.com part

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact