Sharing this here to get awareness for devs because Discourse might be using one of the infected repo’s…
The infected repos are clones of the originals, the originals are OK.
We’re not aware of any impact to Discourse or our dependencies.
As @Mr.X_Mr.X mentioned, the tweet author has admitted that the findings were limited to forks/clones, rather than the true versions of dependencies:
Ah that is good to know. Better safe then sorry, haha. Felt this was a place where devs at least should be aware of the malware.
Welcome to internet!