I've checked on both my local machine and on a VPS I run, and the following URL is 302 redirecting to a malicious JS script which pops up a confirmation window and then redirects to ads:<p>SOURCE URL: https://unpkg.com/react@latest/dist/react.js
MALICIOUS REDIRECT: https://compliance-jessica.xyz/a.php<p>This is the URL recommended for in-browser development use by https://facebook.github.io/react/docs/installation.html<p>Can anyone else replicate this?
Looks like there was indeed an issue with a bad nameserver update:<p><a href="https://twitter.com/unpkg/status/852660203275276289" rel="nofollow">https://twitter.com/unpkg/status/852660203275276289</a>
unpkg are reporting this as fixed. <a href="https://twitter.com/unpkg/status/852668919768694784" rel="nofollow">https://twitter.com/unpkg/status/852668919768694784</a>.<p>We got hit pretty hard for the 50 minutes or so the problem existed, Dropbox host their JS SDK lib on there...
Seeing the same thing when trying to load Vue.<p>Tweet from them:<p><a href="https://twitter.com/unpkg/status/852655106562564098" rel="nofollow">https://twitter.com/unpkg/status/852655106562564098</a><p>> We're experiencing some issues and working on it. Will post updates here as soon as we know more.
We got close to trending on HackerNews yesterday when this happened.<p>Suddenly every visitor was reporting alert dialogs saying they had a virus and our votes dropped off a cliff.<p>Last time I ever go against my gut and semi-trust anything.