The NPM packages under the following scope are a false positive.
Please see this article, which picked this up and importantly the note at the top with the update.
https://safedep.io/schedaero-dependency-confusion-attack/
This was a controlled test by our pentest vendor who published malicious looking packages to see if we were vulnerable to a dependency confusion attack. We were not.
We have since claimed our internal scopes on NPM also.
The NPM packages under the following scope are a false positive.
Please see this article, which picked this up and importantly the note at the top with the update.
https://safedep.io/schedaero-dependency-confusion-attack/
This was a controlled test by our pentest vendor who published malicious looking packages to see if we were vulnerable to a dependency confusion attack. We were not.
We have since claimed our internal scopes on NPM also.