If you’re a package maintainer, please defensively revoke all NPM and GitHub tokens. This is a worm which is still spreading and you probably don’t want to publish anything today anyways, so you might as well use this incident as an opportunity to rotate everything.
Larger discussion thread here: https://news.ycombinator.com/item?id=45260741
I scanned this discussion looking for a way to tell if you've been compromised but nothing jumped out.
If you’re a package maintainer, please defensively revoke all NPM and GitHub tokens. This is a worm which is still spreading and you probably don’t want to publish anything today anyways, so you might as well use this incident as an opportunity to rotate everything.