Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Do you have a list of the compromised versions?

A few of these, when I check I see that the version published this morning is still present and the latest version. But a quick glance at the code and I don't see the compromise; I'm just doing a quick scan, but some of these packages are so simple that there's really not many places you could hide it:

npmjs.com/package/has-ansi?act…

I'm just trying to compile a list of compromised versions so I can do a quick scan of our systems, but for some of these I haven't been able to find an exploited version.

Maybe the attackers script failed to insert the exploit, as we do see a number of these packages all updated at the same time, but I don't see the exploit code in them. Packages fitting that pattern:

* color
* supports-color
* strip-ansi
* ansi-regex
* has-ansi

(note: all of this is based on a quick glance using the code tab on the NPM registry; it's possible that I could have missed the right file, or missed it when scanning visually, or the code tab might not be showing the version it claims, or the like)

Here's my best attempt at a list of the bad versions:

- supports-hyperlinks 4.1.1
- chalk-template 1.1.1
- simple-swizzle 0.2.3 xxx
- slice-ansi 7.1.1
- error-ex 1.3.3
- is-arrayish 0.3.3
- wrap-ansi 9.0.1
- backslash 0.2.1
- color-string 2.1.1
- color-convert 3.1.1
- color 5.0.1 (???)
- color-name 2.0.1
- ansi-styles 6.2.2
- debug 4.4.2
- chalk 5.6.2 (???)
- supports-color 10.2.2 (???)
- strip-ansi 7.1.2 (???)
- ansi-regex 6.2.2 (???)
- has-ansi 6.0.2 (???)

"xxx" means that the bad version is still the latest version on NPM.

"???" means that a version was uploaded at the time of the attack, but I didn't see the exploit code in a quick visual scan of the code.

Some of this is guesswork because the bad versions have already been deleted.

Also, holy hell the left-pad nature of some of these deps. Here's the entire source of has-ansi:

import ansiRegex from 'ansi-regex';

const regex = ansiRegex({onlyFirst: true});

export default function hasAnsi(string) {
return regex.test(string);
}