Security News
GitHub has revealed it stored a "Number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems. The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question "Prior to the attack on npm."
Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains. Taking over an NPM package tied to that domain then becomes a matter of resetting the password of the NPM account associated with the commandeered email address - the password reset message goes to the new account holder.
Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks. "Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog said in a new report.
Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security. Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the "Foreach" package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the "Foreach" package, which is fetched nearly six million times a week.
Today, GitHub has launched a new public beta to notably improve the two-factor authentication experience for all npm user accounts. Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register "Multiple second factors, such as security keys, biometric devices, and authentication applications."
In a surprising move, the popular open source project, SheetJS aka "Xlsx," has dropped support for the npm registry. The project's maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub's abrupt decision-making, and ongoing 'legal matters' between SheetJS and npm.
In a surprising move, the popular open source project, SheetJS aka "Xlsx," has dropped support for the npm registry. The project's maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub's abrupt decision-making, and ongoing 'legal matters' between SheetJS and npm.
The Open Source Security Foundation, a Linux Foundation-backed initiative has released its first prototype version of the 'Package Analysis' tool that aims to catch and counter malicious attacks on open source registries. In a pilot run that lasted less than a month, the open source project released on GitHub, was able to identify over 200 malicious npm and PyPI packages.
A 'logical flaw' in the npm registry enabled authors of malicious packages to quietly add anyone and any number of users as 'maintainers' to their packages in an attempt to boost the trust in their packages. A security flaw in the npm registry, dubbed 'package planting' allowed threat actors to silently add any developer as 'maintainers' to their malicious packages.
A "Logical flaw" has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them. "Up until recently, NPM allowed adding anyone as a maintainer of the package without notifying these users or getting their consent," Aqua's Yakir Kadkoda said in a report published Tuesday.