Malicious NPM packages are part of a malware "barrage" hitting repositories:
Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.
This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.
This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.
"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."
Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy
(Score: 2) by drussell on Monday December 13 2021, @07:17PM (12 children)
WTF is NPM?
(Score: 4, Informative) by janrinok on Monday December 13 2021, @07:18PM
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @07:28PM (3 children)
A Microsoft product.
(Score: 2) by Runaway1956 on Monday December 13 2021, @09:12PM (1 child)
That's only half the story. It's javascript. Javascript by Microsoft.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by Reziac on Tuesday December 14 2021, @02:27AM
Wiki sayeth...
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.[19] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.[21]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:40PM
To be pedantic, it was an independent product that Microsoft acquired. Why write your own garbage software when you can just wait for someone else to write it, then buy it?
(Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @08:35PM
A highly-buzzword malware vector.
(Score: 1, Funny) by Anonymous Coward on Monday December 13 2021, @08:38PM (2 children)
A millennial programmer's wet dream.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 14 2021, @12:53AM
As a millenial programmer I am here to say I hate NPM.
Even assuming it wasn't a malware delivery nightmare the versioning issues that are supposed to be made easy are frequently a giant pain in the ass. If you aren't constantly maintaining your project you'll find that package updates can break your project, force you to find alternatives, or WORST OF ALL dependencies get removed and you spend way more time trying to figure out replacements.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @03:22AM
They seem to be every programmer's wet dream since the idea of software repositories is older than millennials.
(Score: 2) by Freeman on Monday December 13 2021, @08:59PM (1 child)
The reason DannyB is the way he is, considering his association with the Java language.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Funny) by Anonymous Coward on Tuesday December 14 2021, @03:43AM
Even though DannyB is a Maven at Java, that doesn't change that Java != JavaScript and that JavaScript !== Java.
(Score: 2) by isostatic on Tuesday December 14 2021, @03:14PM
It stands for New Propagation of Malware