Name of the Vulnerable Software and Affected Versions uglyfi-js version 3.4.6

Description The issue concerns a malicious package designed to exploit typographical errors when installing modules. Upon installation, it downloads and executes a file from a remote server, creating a backdoor. This results in the computer being fully compromised, with all stored secrets and keys at risk.

Recommendations For version 3.4.6, remove the package immediately. However, due to potential full control being given to an outside entity, removal may not eliminate all malicious software. Additionally, consider all secrets and keys stored on the compromised computer as exposed and rotate them from a different, secure computer.