Collaborate Disseminate
By Waqas
The launch of the Malicious Packages repository comes at a time when cyberattacks, leveraging malicious open source packages, are on the rise.
This is a post from HackRead.com Read the original post: OpenSSF Launches Malicious Packages Reposit… Continue reading OpenSSF Launches Malicious Packages Repository
I have a Node.js app which has a lot of npm-dependencies, running on Linux (Centos) machine.
When Node starts, the script has access to the files outside its directory (as least by default), so malicious npm-package could traverse a direct… Continue reading Restrict node.js filesystem access
First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts …read more Continue reading This Week in Security: npm Timing Leak, Siemens Universal Key, and PHP in PNG
Almost every week you can read about attacks performed through compromised npm libraries. The npm ecosystem is vast and unmanageable and for it-sec people it is frustrating to deal with all the possible threats that come with using npm.
Th… Continue reading Basically only 2 ways of npm supply chain attacks?
I have not been able to find a single page that actually explains how npm’s
ECDSA signing system works.
The closest I could find is the official documentation, but as far as I can
tell from that documentation, this system is completely use… Continue reading How does npm’s ECDSA signing system improve security?
By Deeba Ahmed
The malicious NPM packages used in this supply chain attack can steal Discord tokens and financial data. Discord,…
This is a post from HackRead.com Read the original post: LofyLife: Malicious npm Packages Used in Siphoning Off Disc… Continue reading LofyLife: Malicious npm Packages Used in Siphoning Off Discord Tokens, Card Data
TL;DR: running npm i … not long after pass my-password allows a malicious package to steal my entire password store.
I use pass as a password manager, on Linux. And like probably all Linux users, I use sudo to run commands as root.
The … Continue reading How to securely use `pass`, `sudo`, and `npm` on the same machine
I have a vulnerability scanner than detected a security vulnerability in a particular package. Let’s call it package "D@4.0". D@4.0 is used by other dependencies, such as this:
A@1.0 > B@2.0 > C@3.0 > D@4.0.
Typically th… Continue reading How to exploit and fix dependency vulnerabilities? [closed]
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in … Continue reading How to vet third-party developer packages
I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain in the butt for me is that the engineer… Continue reading Is there a way to check if vulnerability introduced by npm package is reachable/exploitable