Security News

More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months - a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications.

The cause has been traced down to a dependency used by create-react-app, the latest version of which is breaking developers' apps. Create React App is an open source project produced by Facebook and made available on both GitHub and npm to help developers build single-page React applications fast.

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.

At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and environment variables from users' computers as well as gain full control over a victim's system.

A series of malicious packages in the Node.js package manager code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users' accounts and servers. Js, which enables interaction with the Discord API. "The malware's author took the original discord.js library as the base and injected obfuscated malicious code into the file src/client/actions/UserGet.js," according to JFrog, which added, "In classic trojan manner, the packages attempt to misdirect the victim by copying the README.md from the original package."

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.

GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation. "The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

The first flaw concerns leak of names of private npm packages on the npmjs.com's 'replica' server-feeds from which are consumed by third-party services. ' The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.

In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.

In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.