Collaborate Disseminate
I was thinking about how to ensure the authenticity of Node.js packages that are installed from a public registry like npmjs.com. The only mechanisms (optionally) in place to my understanding are:
ECDSA registry signatures. Which to my un… Continue reading How can authenticity be ensured for Node.js packages when using a public registry like npmjs.com?
A year-long malware campaign targets Roblox developers using fake NPM packages mimicking “noblox.js” to steal data. Despite takedowns,… Continue reading Year-Long Malware Campaign Exploits NPM to Attack Roblox Developers
Phylum uncovers large-scale trojanized jQuery attacks targeting npm, GitHub, and CDNs. Malicious actors steal user form data through… Continue reading Trojanized jQuery Infiltrates npm, GitHub, and CDNs: Thousands of Packages at Risk
I would like to restrict the installation of npm package in some projects of my company to releases that are at least X weeks old.
The reason for that being that given enough time before installing a package version, it is likely that if t… Continue reading Only install packages that are at least X weeks old [migrated]
Does Node.js’s npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with ste… Continue reading Does Node.js’s npm provide cryptographic authentication and integrity validation?
Obviously any known vulnerabilities are not great, but I’m curious how much I should be concerned about them.
I’ve seen plenty of articles that talk about the rise in malware/spam in npm packages:
NPM malware attack goes unnoticed for a y… Continue reading How serious are npm module vulnerabilities?
By Waqas
Apart from displaying these messages, the packages performed no other actions. This indicates that these aren’t malicious per se.
This is a post from HackRead.com Read the original post: New Protestware Uses npm Packages to Call for Peace in G… Continue reading New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine
By Deeba Ahmed
Another day, another NPM typosquatting attack.
This is a post from HackRead.com Read the original post: NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package
Continue reading NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package
Threat actor uses typosquatting to trick hundreds of users into downloading a malicious NPM package that delivers the r77 rootkit.
The post Hundreds Download Malicious NPM Package Capable of Delivering Rootkit appeared first on SecurityWeek.
Continue reading Hundreds Download Malicious NPM Package Capable of Delivering Rootkit
Fortinet warns of multiple malicious NPM packages that include install scripts designed to steal sensitive information.
The post Dozens of Malicious NPM Packages Steal User, System Data appeared first on SecurityWeek.
Continue reading Dozens of Malicious NPM Packages Steal User, System Data