PureScript installer dependencies were sabotaged

The PureScript incident was a supply-chain attack with an unusually personal-looking payload. The purescript package was not itself republished with credential theft code. Instead, two dependencies maintained outside the PureScript team were changed so they would break the new PureScript npm installer while trying to avoid obvious failure in other paths.

The timing mattered. PureScript 0.13.2 shipped on July 5, 2019, after the compiler maintainers had taken over the purescript npm package and replaced the older install-purescript-cli path with their own purescript-installer. About eight hours later, load-from-cwd-or-npm 3.0.2 was published. When pulled through dl-tar during a normal install, it returned a PassThrough stream where the installer expected the request module, so the binary download step silently went nowhere.

The first sabotage looked enough like a bug that maintainers initially worked around it. Then, on July 9, rate-map 1.0.3 appeared with a sharper version of the same idea. It used similar activation logic, resolved the local dl-tar package through an obfuscated string, removed the callback that let the download stream advance, and then rewrote its own installed file to erase the malicious block after it ran.

The targeting logic is what made the case stand out. The code tried not to fire when the old install-purescript-cli path was in use, and it checked for nearby Git directories to make local reproduction harder. Jarrod Overson later summarized the oddity well: there was no obvious monetization, no miner, no token theft, and no remote shell. The effect was sabotage of one installer lineage after a messy maintainer handoff.

Harry Garrood reported rate-map to npm support around 11:30 UTC on July 9 and published purescript-installer 0.2.5 around 14:00 UTC, dropping or vendoring the dependencies maintained by the former installer maintainer. npm later removed load-from-cwd-or-npm 3.0.2 and rate-map 1.0.3 from the registry, and the maintainer told npm the packages were published after an account compromise. The public record still leaves attribution unresolved, so this catalog keeps the actor unknown and focuses on the registry packages that actually carried the sabotage.

Motive

Sabotage

Cause

Malicious Dependency

Transitive

Yes

• Malicious code in the PureScript npm installerharry.garrood.me
• Installation hangs during Check if a prebuilt binary is provided for your platformgithub.com
• How Two Malicious NPM Packages Targeted and Sabotaged One Otherjarrodoverson.com
• Malicious code ousted from PureScript's npm installertheregister.com
• npm installer for PureScript package compromisedsecurityaffairs.com
• Malicious code in PureScript npm installer mirrorsechub.in
• My favourite dependency malware5stars217.github.io
• PureScript npm installer's infected dependencies prevented it from running successfullypacktpub.com
• Malicious code ousted from PureScript's npm installer mirrorthreatshub.org