Security News

More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

Computer scientists at North Carolina State University have put one of its tools to the test by evaluating software package registries npm and PyPI using OpenSSF Scorecards. In a preprint paper distributed via ArXiv, NCSU researchers Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, and Laurie Williams applied the OpenSSF Scorecard to software packages within npm and PyPI in order to see what security practices could be identified among the developers using those registries.

Cybercriminals continue to use npm packages to drop malicious packages on unsuspecting victims, most recently to steal Discord login tokens, bank card data, and other user information from infected systems. Details of the latest npm campaign, dubbed "LofyLife" by Kaspersky threat intelligence hunters, comes at the same time that GitHub - which owns NPM the compny, and in turn is owned by Microsoft - unveiled an array of enhancements to npm security in the wake several high-profile incidents involving malicious npm packages.

Researchers were monitoring open-source repositories on Tuesday when they noticed suspicious activity in the form of four packages containing "Highly obfuscated malicious Python and JavaScript code" in the npm repository, they wrote in the post. Npm has become an especially attractive target for threat actors as it not only has tens of millions of users, but packages hosted by the repository also have been downloaded billions of times, he said.

Multiple npm packages are being used in an ongoing malicious campaign dubbed LofyLife to infect Discord users with malware that steals their payment card information. "All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign 'LofyLife'."

GitHub has announced the general availability of three significant improvements to npm, aiming to make using the software more secure and manageable. In summary, the new features include a more streamlined login and publishing experience, the ability to link Twitter and GitHub accounts to npm, and a new package signature verification system.

Researchers have disclosed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts.

A burst of almost 1,300 JavaScript packages automatically created on NPM via more than 1,000 user accounts could be the initial step in a major crypto-mining campaign, according to researchers at Checkmarx. Microsoft GitHub-owned NPM hosts hundreds of thousands of JavaScript packages for developers.

A widespread software supply chain attack has targeted the NPM package manager at least since December 2021 with rogue modules designed to steal data entered in forms by users on websites that include them. The coordinated attack, dubbed IconBurst by ReversingLabs, involves no fewer than two dozen NPM packages that include obfuscated JavaScript, which comes with malicious code to harvest sensitive data from forms embedded downstream mobile applications and websites.

Researchers at ReversingLabs have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages picked up via NPM. NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years. The latest problem stems from typo-squatting, where an attacker offers up malicious packages with names similar to real packages.