Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by janrinok on Monday December 13 2021, @06:31PM   Printer-friendly
from the just-trust-everyone dept.

Malicious NPM packages are part of a malware "barrage" hitting repositories:

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."

Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Freeman on Monday December 13 2021, @08:59PM (1 child)

    by Freeman (732) on Monday December 13 2021, @08:59PM (#1204735) Journal

    The reason DannyB is the way he is, considering his association with the Java language.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Funny) by Anonymous Coward on Tuesday December 14 2021, @03:43AM

    by Anonymous Coward on Tuesday December 14 2021, @03:43AM (#1204860)

    Even though DannyB is a Maven at Java, that doesn't change that Java != JavaScript and that JavaScript !== Java.