NPM packages were compromised or why it's essential to have locked versions.

Several days ago, Josh Junon, posted a message on his bsky feed that he had been hacked. To be more precise, most of the packages that he is maintaining were compromised via a supply chain attack. As a result, series packages are being pushed to npm, which appear to contain malicious code.

Feel free to ask questions in comments.

There are 18 packages:
• backslash (0.26m downloads per week)
• chalk-template (3.9m downloads per week)
• supports-hyperlinks (19.2m downloads per week)
• has-ansi (12.1m downloads per week)
• simple-swizzle (26.26m downloads per week)
• color-string (27.48m downloads per week)
• error-ex (47.17m downloads per week)
• color-name (191.71m downloads per week)
• is-arrayish (73.8m downloads per week)
• slice-ansi (59.8m downloads per week)
• color-convert (193.5m downloads per week)
• wrap-ansi (197.99m downloads per week)
• ansi-regex (243.64m downloads per week)
• supports-color (287.1m downloads per week)
• strip-ansi (261.17m downloads per week)
• chalk (299.99m downloads per week)
• debug (357.6m downloads per week)
• ansi-styles (371.41m downloads per week)

It's very late, but a pretty good point to take a look at your `package.json` file and see if you use any of those packages.

You can still save your project. Here is how:
• Refer to the original post from Josh Junon and check package versions
• Clean your npm cache
• Double-check if you use a package lock file
• Lock/pin via `@` package versions
• Don't use `^` in front of package versions

BTW, I don't have access to the source code, but it's likely that Atlassian Command Line Interface (CLI) and Rovo Dev CLI may use some of the same packages.

P.S. 💡
Our team usually replaces `^` with `@` and explains to clients why it's important.