Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the staticlayer package.
staticlayer is a malicious package. This package is part of a coordinated malicious campaign that conceals a Windows binary dropper. While the package itself might not contain standalone malicious logic and masquerades as a benign micro-utility, it is part of a broader attack and should not be installed. A malicious actor split the execution logic across different npm packages, allowing the attacker to evade per-package reviews and secretly execute a weaponized payload only when the packages are wired together.
According to the security analysis, the obfuscated payload is designed to establish communications with an external anonymous server to download and run a malicious executable. The dropper strips "Mark-of-the-Web" warnings to suppress Microsoft SmartScreen prompts and runs completely hidden from the user. It will persist on the system by generating an executable that imitates a legitimate updater (e.g., msedge_update_*.exe, chrome_installer_*.exe, dotnet_host_*.exe) and placing it in paths such as %LOCALAPPDATA%\Temp, %TEMP%, or %TMP%.
Notes:
Node.js https, curl.exe, and bitsadmin) and three execution methods to ensure it deploys successfully even on partially hardened systems.