There’s also seems to be a compromised package in dependency tree now:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Malware in react-intl-next │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ react-intl-next │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @atlassianlabs/jql-editor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @atlassianlabs/jql-editor > react-intl-next │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1078722 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It looks that it was already handled by NPM security team 8 months ago, and Yarn resolves it to react-intl package, so there’s likely no immediate threat:
https://www.npmjs.com/package/react-intl-next
But it still throws an audit error and I think it should be fixed asap.