Npm packages name and version reported in vulnerability

Support
1

Hi,

I got a report from XRay scanner in JFrog that the base image of discourse version 2.0.20240904-0335 contains malicious code in three packages

  • dialog-holder:1.0.0
  • float-kit:1.0.0
  • custom-proxy:1.0.0

Then I did a little research also found the three packages with the same name and version reported on https://vulert.com

(I will add this in the comment as I cannot post more than 2 links in the post)

Have you faced the same issues before? Are these findings from Discourse or other packages as I cannot find any reported packages on npm.js?

Many thanks :pray:

2

dialog-holder:1.0.0: Malicious code in dialog-holder (npm) (vulert.com) and linked to data from OSV on github

3

float-kit:1.0.0: Malicious code in float-kit (npm) (vulert.com) and linked to data from OSV on github

4

custom-proxy:1.0.0: Malicious code in custom-proxy (npm) (vulert.com) and linked to data from OSV on github