Skip to content

docs: update vuln reporter to be more accurate #915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crutchcorn wants to merge 1 commit into
base: main
Choose a base branch
from
+2 −2
Open

docs: update vuln reporter to be more accurate #915

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/blog/npm-supply-chain-compromise-postmortem.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ All times UTC. Local timestamps from GitHub API and npm registry.

| Time | Event |
| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 2026-05-11 ~19:50 | External researcher (`carlini`) opens issue #7383 with a complete writeup of the malicious `optionalDependencies` fingerprint and the package list (initially 14 of the 42) |
| 2026-05-11 ~19:50 | External researcher `ashishkurmi` working for StepSecurity opens issue #7383 with a complete writeup of the malicious `optionalDependencies` fingerprint and the package list (initially 14 of the 42) |
| 2026-05-11 ~19:50 | Researcher notifies npm security directly |
| 2026-05-11 ~20:00 | Manuel acknowledges in #7383 — incident response begins |
| 2026-05-11 ~20:10 | Manuel removes all other team push permissions on GitHub in case of user machines have been compromised |
Expand Down Expand Up @@ -139,7 +139,7 @@ The chain only works because each vulnerability bridges the trust boundary the o

### How we found out

Detection was external. `carlini` opened issue #7383 ~20 minutes after the publish, with full technical analysis. Tanner received a phone call from Socket.dev just moments after starting the war room confirming the situation.
Detection was external. External researcher `ashishkurmi` working for StepSecurity opened issue #7383 ~20 minutes after the publish, with full technical analysis. Tanner received a phone call from Socket.dev just moments after starting the war room confirming the situation.

### IOC fingerprints (for downstream maintainers and security tools)

Expand Down
Loading