Destructive malware available in NPM repo went unnoticed for 2 years

Researchers from security firm Socket have found eight malicious software packages on the npm package repository that mimicked legitimate packages and contained destructive payloads.
The packages were designed to target different parts of the JavaScript ecosystem, with varied tactics that included deleting files, corrupting core JavaScript functions with random data and forcing system shutdowns.
Attackers can take advantage of the ease of deployment and the “mutual trust” among developers on open source repositories to slip malicious packages into projects, said Kush Pandya, who discovered the malware.
To avoid falling victim to this type of attack, developers should conduct thorough due diligence before installing a package, including checking the package’s integrity and verifying its authenticity with the publisher.
Socket found the packages after being tipped off by a JavaScript developer who had discovered odd behaviour by one of the malicious packages.

Fast Feed