Security News > 2020 > January > Malicious npm package taken down after Microsoft warning

Malicious npm package taken down after Microsoft warning
2020-01-15 11:32

Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm.

The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.

Malicious npm packages, particularly ones installing backdoors, have become a recurring theme in the last year or two.

The thinking behind this attack was simple - upload what appears to be a useful package, wait until the specific target starts using it in their 'build chain', and then update the package with a malicious payload. This kind of ruse puts a lot of pressure on npm's security testers to spot malevolence before any damage is done.

There have been at least four other incidents with malicious packages trying to sneak backdoor attacks on npm users since 2017.


News URL

https://nakedsecurity.sophos.com/2020/01/15/malicious-npm-package-taken-down-after-microsoft-warning/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400