Security News

A widely used NPM package called 'Pac-Resolver' for the JavaScript programming language has been remediated with a fix for a high-severity remote code execution vulnerability that could be abused to run malicious code inside Node.js applications whenever HTTP requests are sent. A Proxy Auto-Configuration file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname.

The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages. On further review of the researchers' reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.

Perry rediscovered this risk recently, when he decided to use a popular NPM package called Proxy-Agent to provide the proxy support he wanted in his HTTP Toolkit product. Numerous corporate-style tools exist to help computers on a network locate their official internal proxies automatically, including PAC, short for proxy auto-configuration, and WPAD, short for web proxy auto-discovery.

A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads. An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line."

Npm is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome's V8 JavaScript engine. "Vast" would be an understatement to describe the ecosystem: npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide.

Today, researchers at ReversingLabs have disclosed their findings on two malicious npm packages that secretly steal passwords from your Chrome web browser. "We have contacted NPM to take the package down. We are still waiting on their security team to respond," ReversingLabs' chief software architect and co-founder, Tomislav Pericin told BleepingComputer in an email interview.

A new malicious package has been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "Web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery. Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.

The widely used npm library netmask has a networking vulnerability arising from how it parses IP addresses with a leading zero, leaving an estimated 278,000 projects at risk. Researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler have disclosed a digital nasty, tracked as CVE-2021-28918, in the hugely widespread netmask npm package.