There’s a furore today about a slew of widely used packages updated with a malicious payload (npm debug and chalk packages compromised) - are any of these packages used by meteor? Also I notice that the meteor package hasnt yet been updated to 3.3.2. How does this update typically get made?
As far as I know, the Meteor core would only have been affected if we had published a new Meteor version yesterday at that time, which has only been the case with the 3.4 betas. Today we re-released them, making the latest one with patch fixes available.
This likely won’t affect previous versions like 3.3.2, since those already had the dependencies fixed. However, if your app uses any of these deps and they’re not fixed, it could still be affected. I recommend reviewing your dependencies to make sure none are on the vulnerable version.
Anyway, to be safe, check those deps in your app lock files to ensure there are not there, and bump to fixes if necessary, as well as reset the node_modules. I recommend cleaning all npm caches in your system (npm cache clean --force/npm cache verify), and even reinstalling Meteor with rm -rf .meteor / npx meteor, in case some old cache state is still holding those deps indirectly.