Malware in @pa-client/power-code-sdk?

[francescozitelli]

Dear all,
Checking with "npm audit" command on my project, I discovered a Malware in @pa-client/power-code-sdk - https://github.com/advisories/GHSA-484g-hww8-cwwm

What do you suggest in this case?

[marcelbf]

Thanks for raising this —just wanted to clarify a couple of important points:

@pa-client/power-code-sdk is not an official Microsoft package. For production use, please reference only the official SDK (@microsoft/power-apps) or the documented package alias if you're following legacy samples.

The @pa-client/power-code-sdk package has been removed from npm. We strongly recommend avoiding any usage of it going forward.

Let us know if you need help updating your references or have questions about the official SDK.

[francescozitelli]

Dear Marcel, thanks for your answer.
I would like to receive your help to understand how to uninstall completely and mitigate any risk in my dev machine.
I have followed as many enthusiast the tutorial by @rezadorrani @rdorrani on Youtube, minute 5:20
https://youtu.be/UBFgFNYbSTA?si=T0H0CjOeeRtVKRwe

How can we be sure the malware has not infected our machine?
IS there any forensic of the origin of infection?
How can be the case that first version 0.0.1 was already infected?

Thanks for your attention.

PS: https://osv.dev/vulnerability/MAL-2025-47010
https://osv.dev/vulnerability/MAL-2025-47010

[marcelbf]

hi @francescozitelli.

rest assured, if you use this (from demo or our legacy samples) you would not have the risk of downloading non-approved/non-Microsoft-published-packages.

Let me break this down in very simple terms:

🧩 What is npm?

npm stands for Node Package Manager. It’s like an app store for developers — a place where they can download and share code packages to help build software faster.

---

🚫 What happened with @pa-client/power-code-sdk?

• This package was never officially published by Microsoft.
• In our code samples, we did not use npm to install it.
• Instead, we used a shortcut (called an alias) that simply points to a file you download directly from our GitHub release page.

---

🔐 Was there malware?

No — if you followed our native code samples or demos, you would not have the risk of downloading non-approved/non-Microsoft-published-packages.

• We always used the alias to our GitHub release URL, not the npm version.
• The allegedly malware was found in a version that someone else published to npm, which we never endorsed or used.

---

✅ What should you do now?

Going forward, just use the official Microsoft package:
@microsoft/power-apps
This is the trusted and supported version.

If you installed the unofficial package from NPM, follow NPM's instructions here: GHSA-484g-hww8-cwwm

Let me know if you have questions or need any help.

[francescozitelli]

Thanks a lot for your answer and clarification!
Have a nice day!