Security News

In what's yet another act of sabotage, the developer behind the popular "Node-ipc" NPM package shipped a new version to protest Russia's invasion of Ukraine, raising concerns about security in the open-source and the software supply chain. Affecting versions 10.1.1 and 10.1.2 of the library, the changes introduced undesirable behavior by its maintainer RIAEvangelist, targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing it with a heart emoji.

The developer behind the hugely popular npm package "Node-ipc" has released sabotaged versions of the library to condemn Russia's invasion of Ukraine: a supply-chain tinkering that he'd prefer to call "Protestware" as opposed to "Malware." It started on March 8, when npm maintainer Brandon Nozaki Miller wrote source code and published an npm package called peacenotwar and oneday-test on both npm and GitHub.

This month, the developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "Peace" messages.

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.

WhiteSource released a threat report based on malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide. The report is based on findings from more than 1,300 malicious npm packages identified in 2021.

WhiteSource, a security firm based in Israel, says that in 2021, it detected 1,300 malicious npm packages. The npm registry is an online repository for distributing code packages that provide ready-made functions to developers using JavaScript and related languages.

More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months - a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications.

The cause has been traced down to a dependency used by create-react-app, the latest version of which is breaking developers' apps. Create React App is an open source project produced by Facebook and made available on both GitHub and npm to help developers build single-page React applications fast.

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.

At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and environment variables from users' computers as well as gain full control over a victim's system.