Security News
A series of malicious packages in the Node.js package manager code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users' accounts and servers. Js, which enables interaction with the Discord API. "The malware's author took the original discord.js library as the base and injected obfuscated malicious code into the file src/client/actions/UserGet.js," according to JFrog, which added, "In classic trojan manner, the packages attempt to misdirect the victim by copying the README.md from the original package."
GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.
GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation. "The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
The first flaw concerns leak of names of private npm packages on the npmjs.com's 'replica' server-feeds from which are consumed by third-party services. ' The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.
In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.
In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.
Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. Today, developers around the world were left surprised to notice new releases for npm library 'coa'-a project that hasn't been touched for years, unexpectedly appear on npm.
Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. Today, developers around the world were left surprised to notice new releases for npm library 'coa'-a project that hasn't been touched for years, unexpectedly appear on npm.
Apple fixes security feature bypass in macOSApple has delivered a barrage of security updates for most of its devices this week, and among the vulnerabilities fixed are CVE-2021-30892, a System Integrity Protection bypass in macOS, and CVE-2021-30883, an iOS flaw that's actively exploited by attackers. Good security habits: Leveraging the science behind how humans develop habitsIn this interview with Help Net Security, George Finney, CSO at Southern Methodist University, explains what good security habits are, how to successfully implement them and why are they important.
Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of...