Security News
The Linux Foundation announced the final release of "Census II of Free and Open Source Software - Application Libraries," which identifies more than one thousand of the most widely deployed open source application libraries. This study informs what open source packages, components and projects warrant proactive operations and security support.
For those developing with JavaScript and related technologies, GitHub's NPM Package Registry is an essential resource. It's the home of more than 1.8 million packages - libraries and modules that get added to applications as dependencies to perform useful functions.
Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.
"The confusion in URL parsing can cause unexpected behavior in the software, and could be exploited by threat actors to cause denial-of-service conditions, information leaks, or possibly conduct remote code execution attacks," the researchers said in a report shared with The Hacker News. With URLs being a fundamental mechanism by which resources - located either locally or on the web - can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.
Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog -.
Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of...
Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users. In a new report by open source security firm Sonatype with further analysis by BleepingComputer, these malicious NPMs are infecting victims with an MBRLocker ransomware that impersonates the notorious GoldenEye ransomware, trollware, and a password stealing trojan.
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.
79% percent of the time, third-party libraries are never updated by developers after being included in a codebase - despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications, Veracode research reveals. Open source libraries constantly evolve so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.
Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals. Compiled in partnership with the Cyentia Institute, Veracode's latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.