Security News

NPM packages posing as speed testers install crypto miners instead
2023-02-14 17:25

A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computer's resources to mine cryptocurrency for the threat actors. The packages were uploaded onto NPM, an online repository containing over 2.2 million open-source JavaScript packages shared among software developers to speed up the coding process.

Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
2022-11-30 13:44

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "Unexpected behavior" in the npm command line interface tool. Npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
2022-11-30 13:44

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "Unexpected behavior" in the npm command line interface tool. Npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam
2022-11-03 19:36

The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution. In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.

New Timing Attack Against NPM Registry API Could Expose Private Packages
2022-10-13 12:00

A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. The Scoped Confusion attack banks on analyzing the time it takes for the npm API to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

New npm timing attack could lead to supply chain attacks
2022-10-12 15:16

Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.

LofyGang hackers built a credential-stealing enterprise on Discord, NPM
2022-10-07 13:00

The 'LofyGang' threat actors have created a credential-stealing enterprise by distributing 200 malicious packages and fake hacking tools on code hosting platforms, such as NPM and GitHub. LofyGang is motivated by financial profit, aiming to achieve high-volume account compromise and then resell access to those accounts on various private channels on the dark web, hacking forums, and Discord.

LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data
2022-10-07 12:59

Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang. Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for over a year with the goal of stealing credit card data as well as user accounts associated with Discord Nitro, gaming, and streaming services.

npm packages used by crypto exchanges compromised
2022-09-23 16:31

Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised. The packages in question were published from the npm account of a dYdX staff member and found to contain illicit code that would run info stealers on a system when installed.

Malicious NPM Package Caught Mimicking Material Tailwind CSS Package
2022-09-22 15:01

A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an "Easy to use components library for Tailwind CSS and Material Design."