Security News

NPM nukes NodeJS malware opening Windows, Linux reverse shells
2020-10-16 11:44

These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. Although the malicious packages were spotted and removed by NPM, I was able to dig into Sonatype's automated malware detection system archives to obtain copies of their source code, as it had existed on NPM downloads.

Malicious npm package taken down after Microsoft warning
2020-01-15 11:32

Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm. The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.

Npm Patches Vulnerability Allowing Access to User Files
2019-12-16 16:52

JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system. The issue impacts versions of npm prior to 6.13.3 and versions...

Npm patches two serious bugs
2019-12-16 10:57

JavaScript package users have been warned to update due to a bug that could enable an attacker to infect them with malicious applications.

NPM swats path traversal bug that lets evil packages modify, steal files. That's bad for JavaScript crypto-wallets
2019-12-13 02:05

Trio of vulnerabilities made registry full of uncertain code even more of a risk On Wednesday, NPM, Inc, the California-based biz that has taken it upon itself to organize the world's JavaScript...

Malicious code ousted from PureScript's npm installer – but who put it there in the first place?
2019-07-15 06:04

Account hijacking claimed by some but it may just be a developer behaving badly Another JavaScript package in the npm registry - the installer for PureScript - has been tampered with, leading...

Cryptocurrency attack thwarted by npm team
2019-06-10 10:36

Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves
2019-06-07 05:56

What a wild ride, eh Komodo? Blockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to...

Here's how NPM plans to improve security and reliability in 2019
2018-12-17 12:00

NPM is working to course-correct after 2018 brought a handful of major incidents that caused usability and security headaches for system administrators.

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
2018-11-26 20:58

Node.js package tried to plunder Bitcoin wallets A widely used Node.js code library in NPM's warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question,...