About a week ago (June 15th) I started getting these e-mails in the middle of the night:
Upon checking my repositories, I was greeted with the following message:
I searched discord & the forums but could not find any more information. I did some digging, and these turned out to be false positives, no problem.
What seems to have happened:
- Someone started creating a bunch of fake packages on the npm registry, using exactly the same names as the official Unity packages all of us are using in our project(s)
- The packages contained malware, and have been reported, flagged and removed
Problem solved, however:
- The names of these malicious packages are now known in their vulnerability database. If you have dependabot enabled in your repository security settings, github automatically scans your repository to check for any known malicious packages. However, because these fake packages have exactly the same names as the official unity packages, github now thinks all projects contain malicious packages, and is sending out false positive warning emails to everyone.
The official Unity packages are fine. If you have tried manually downloading any of these packages from an unofficial/untrusted source, please re-check the package url to see if has been flagged as malware.
Edit
Just noticed there is a similar thread in the package manager sub forum over here . The mods will probably know what’s best to do here.