Security News

JavaScript bugs aplenty in Node.js ecosystem – found automatically
2022-08-30 18:59

That's where you aim to review source code for likely coding blunders and security holes without actually running it at all. If someone has copied-and-pasted that buggy code into other software components in your company repository, you might be able to find them with a text search, assuming that the overall structure of the code was retained, and that comments and variable names weren't changed too much.

Anatomy of a campaign to inject JavaScript into compromised WordPress sites
2022-05-13 04:09

A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers. "The websites all shared a common issue - malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files," Konov wrote.

JavaScript security: The importance of prioritizing the client side
2022-04-01 05:00

In this interview with Help Net Security, Vitaly Lim, CTO at Feroot, talks about the most common JavaScript threats, the devastating impact of malicious or vulnerable code, and the importance of JavaScript security in the development process. What kind of impact do third-party JavaScript libraries and pre-written JavaScript code have on front-end security?

Take a walk on the client side: The importance of front-end JavaScript security assessments
2022-03-16 04:30

During these assessments a security analyst will determine if the system is susceptible to any known or exploitable vulnerabilities, assign severity levels to them, recommend remediation or mitigation, and prioritize the order in which remediation must occur based on the severity level. The end result of a security assessment should be deep insights into the security gaps of your organization, aligned to both your overall security program and a governance model.

This JavaScript scanner hunts down malware in libraries
2022-03-01 16:00

For those developing with JavaScript and related technologies, GitHub's NPM Package Registry is an essential resource. It's the home of more than 1.8 million packages - libraries and modules that get added to applications as dependencies to perform useful functions.

25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository
2022-02-22 22:30

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.

JavaScript developer destroys own projects in supply chain “lesson”
2022-01-11 19:54

If you were a user of either of those projects, and if you are inclined to accept any and all updates to your source code automatically without any sort of code review or testing. We've written about security holes suddenly showing up in numerous coding communities, including PHP programmers, Pythonistas, Ruby users, and NPM fans.

This New Stealthy JavaScript Loader Infecting Computers with Malware
2021-11-26 22:23

Threat actors have been found using a previously undocumented JavaScript malware strain that functions as a loader to distribute an array of remote access Trojans and information stealers. HP Threat Research dubbed the new, evasive loader "RATDispenser," with the malware responsible for deploying at least eight different malware families in 2021.

Stealthy new JavaScript malware infects Windows PCs with RATs
2021-11-24 16:08

A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans in phishing attacks. Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware payload. These layers of obfuscation help the malware evade detection 89% of the time, based on VirusTotal scan results.

GitHub fixes authorisation vulnerability in the NPM JavaScript package registry
2021-11-16 17:33

GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation. "The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.