Communication on CanisterWorm

Dear open source community,

On March 20th GitHub learned of a new supply chain attack through public disclosure by socket.dev dubbed CanisterWorm that affects more than 64 unique npm packages. We have disabled malicious npm packages in accordance with GitHub's Acceptable Use Policies which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harm.

What can you do?

Dependabot can send security alerts when your repositories depend on known malicious versions of npm packages. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories in the GitHub Advisory Database. Follow the instructions at the end of this changelog to enable those alerts.

Be proactive and follow this guidance to strengthen the supply chain against future similar attacks. 

GitHub’s commitment to supply chain security

GitHub is committed to investigating reported security issues. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve to mitigate malicious usage of the platform. We also encourage customers and community members to report abuse and spam.