Security News
A new malicious package has been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "Web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.
A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery. Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.
The widely used npm library netmask has a networking vulnerability arising from how it parses IP addresses with a leading zero, leaving an estimated 278,000 projects at risk. Researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler have disclosed a digital nasty, tracked as CVE-2021-28918, in the hugely widespread netmask npm package.
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.
The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said. There is also "Clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users," according to researchers at Sonatype.
New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer. NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects.
A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users. Due to this open system, it is becoming common for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.
These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. Although the malicious packages were spotted and removed by NPM, I was able to dig into Sonatype's automated malware detection system archives to obtain copies of their source code, as it had existed on NPM downloads.
Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm. The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.
JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system. The issue impacts versions of npm prior to 6.13.3 and versions...