I just saw this linked on twitter.
To my knowledge this doesn't affect Windows. It has been confirmed to affect FreeBSD and multiple Linux distributions.
What's worse is that this is apparently a pre-release but is only marked as a pre-release if you look on their Github releases page. Everywhere else including its own version number, the npm blog, npm update
, etc... refers to it as if it were a standard minor release.
Edit: Also, I put this in the wrong category. Whoops. Boomzilla fixed it.