Security News

Malicious npm Code Packages Built for Hijacking Discord Servers
2021-12-08 22:30

A series of malicious packages in the Node.js package manager code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users' accounts and servers. Js, which enables interaction with the Discord API. "The malware's author took the original discord.js library as the base and injected obfuscated malicious code into the file src/client/actions/UserGet.js," according to JFrog, which added, "In classic trojan manner, the packages attempt to misdirect the victim by copying the README.md from the original package."

GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts
2021-11-17 12:32

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.

GitHub fixes authorisation vulnerability in the NPM JavaScript package registry
2021-11-16 17:33

GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation. "The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

NPM fixes private package names leak, serious authorization bug
2021-11-16 12:43

The first flaw concerns leak of names of private npm packages on the npmjs.com's 'replica' server-feeds from which are consumed by third-party services. ' The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.

Two NPM Packages With 22 Million Weekly Downloads Found Backdoored
2021-11-08 19:16

In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.

Two NPM Packages With 22 Million Weekly Downloads Found Backdoored
2021-11-08 19:16

In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "Coa," a parser for command-line options, and "Rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "Identical" password-stealing malware.

Popular 'coa' NPM library hijacked to steal user passwords
2021-11-04 18:06

Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. Today, developers around the world were left surprised to notice new releases for npm library 'coa'-a project that hasn't been touched for years, unexpectedly appear on npm.

Popular npm library 'coa' hijacked breaking React pipelines worldwide
2021-11-04 18:06

Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. Today, developers around the world were left surprised to notice new releases for npm library 'coa'-a project that hasn't been touched for years, unexpectedly appear on npm.

Week in review: Popular npm package hijacked, zero trust security key tenets, wildcard certificate risks
2021-10-31 09:00

Apple fixes security feature bypass in macOSApple has delivered a barrage of security updates for most of its devices this week, and among the vulnerabilities fixed are CVE-2021-30892, a System Integrity Protection bypass in macOS, and CVE-2021-30883, an iOS flaw that's actively exploited by attackers. Good security habits: Leveraging the science behind how humans develop habitsIn this interview with Help Net Security, George Finney, CSO at Southern Methodist University, explains what good security habits are, how to successfully implement them and why are they important.

Malicious NPM Libraries Caught Installing Password Stealer and Ransomware
2021-10-28 00:05

Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of...