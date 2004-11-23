from the llehS dept.
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems:
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
[...] "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.
The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.
(Score: 2) by BsAtHome on Saturday November 04, @01:52PM
To start with: npm is a cesspit of packages and the javascript (development) environment is hopeless, has a poor basis and is a dependency nightmare.
With that said, the article author goes on to blame open source for the shortcomings and supply-chain attacks. That is calling the hammer guilty of murder. Not a statement to be taken seriously at any level. For those proprietary code pushers, well, these are even less trustworthy because they wont allow you to actually vet the packages.
Yes, the supply-chain problem is a real problem. Modern development is often and much built on what was adequately described by Randall Munroe [xkcd.com] quite some time ago. If takers are only taking, then we'll always have a dependency nightmare and an open door to supply-chain attacks.
Anarchy only invites anarchists. We need to be organized and cooperative. And we need to because a) to make many eyes see the problems and b) to fix things in the best way possible.
(Score: 2) by DadaDoofy on Saturday November 04, @02:10PM
Everyone knows Windows is the target bad actors focus on. All the cool kids use Linux, because it is immune to that sort thing. Oh wait...