Submitted via IRC for SoyCow8317
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.
The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:
The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor. [...] We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
(Score: 3, Interesting) by JNCF on Thursday May 03 2018, @07:52PM
Good to see that npm adopted yarn's lock files! I like their JSON layout with hashes separated from file locations more than the yarn way of storing that data. I considered bringing up yarn, but I was worried it might be a bit off-topic since we're discussing issues arising from public repos. Yarn can solve your issues, or my issues, but not our issues.