Browsing tag
In what’s a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links. “The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another,” Checkmarx researcher Yehuda Gelb said in a Tuesday report. “The attackers […]
A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an “easy to use components library for Tailwind CSS […]
A “logical flaw” has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them. The supply chain threat has been dubbed “Package Planting” by researchers from cloud security firm Aqua. Following responsible disclosure […]
A threat actor dubbed “RED-LILI” has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. “Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks,” Israeli security company Checkmarx said. “As it seems this time, the attacker has fully-automated […]
At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and environment variables from users’ computers […]
Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of distributing stealing credentials, installing remote access trojans, and infecting the compromised systems with ransomware. The bogus packages — named “noblox.js-proxy” and “noblox.js-proxies” — were found to […]
Use regular expressions to get sensitive information from a given repository (GitHub, pip or npm). Dependencies You only need to have python 3.6 or higher installed to launch this script. In addition you must have installed in the system git, pip and npm. How to use It’s very easy to use, just run the […]
Last week we reported that the popular JavaScript library Standard JS has started showing giant ad banners in the npm command-line interface. However, this news wasn’t received well by developers and following the community’s negative reaction, npm has decided to ban terminal ads altogether. Ahmad Nassri, CTO of npm, Inc. told ZDNet, “we’re making updates […]
Nothing is safe these days, not even Node’s npm.The Node.js Package Manager (or just npm) allows the author of a malicious package to infect other packages and propagate malicious scripts across the npm ecosystem and in the builds of legitimate projects. npm is to Node.js what apt-get is for Linux and what gem is to […]