@evilpacket discovered that two valid GitHub.com personal access tokens used for Electron development were published to two public NPM packages. We addressed this issue by immediately revoking the tokens. We also updated the NPM packages’
.npmignore file to match the same sensitive files that
.gitignore was filtering. Additionally, we performed an audit of all usages of these tokens to ensure that no unauthorized access was granted using the leaked tokens.
@evilpacket discovered that a valid NPM token for the Electron account was published to a public NPM package. We addressed this issue by revoking the token. We also performed an audit of all NPM packages published by this account to ensure that malicious packages were not distributed using the leaked token.