Submitted via IRC for SoyCow8317
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.
The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:
The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor. [...] We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
(Score: 0) by Anonymous Coward on Friday May 04 2018, @01:43PM
From the editor-was-too-lazy-to-add-a-dept.-line dept.
On topic:
From the code-review-working-as-intended dept.