Collaborate Disseminate
Almost every week you can read about attacks performed through compromised npm libraries. The npm ecosystem is vast and unmanageable and for it-sec people it is frustrating to deal with all the possible threats that come with using npm.
Th… Continue reading Basically only 2 ways of npm supply chain attacks?
I have not been able to find a single page that actually explains how npm’s
ECDSA signing system works.
The closest I could find is the official documentation, but as far as I can
tell from that documentation, this system is completely use… Continue reading How does npm’s ECDSA signing system improve security?
By Deeba Ahmed
The malicious NPM packages used in this supply chain attack can steal Discord tokens and financial data. Discord,…
This is a post from HackRead.com Read the original post: LofyLife: Malicious npm Packages Used in Siphoning Off Disc… Continue reading LofyLife: Malicious npm Packages Used in Siphoning Off Discord Tokens, Card Data
TL;DR: running npm i … not long after pass my-password allows a malicious package to steal my entire password store.
I use pass as a password manager, on Linux. And like probably all Linux users, I use sudo to run commands as root.
The … Continue reading How to securely use `pass`, `sudo`, and `npm` on the same machine
I have a vulnerability scanner than detected a security vulnerability in a particular package. Let’s call it package "D@4.0". D@4.0 is used by other dependencies, such as this:
A@1.0 > B@2.0 > C@3.0 > D@4.0.
Typically th… Continue reading How to exploit and fix dependency vulnerabilities? [closed]
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in … Continue reading How to vet third-party developer packages
I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain in the butt for me is that the engineer… Continue reading Is there a way to check if vulnerability introduced by npm package is reachable/exploitable
By Deeba Ahmed
Discord tokens have become the perfect medium for cybercriminals to gain unauthorized access to accounts allowing the operators…
This is a post from HackRead.com Read the original post: Cybercriminals hit malware authors with malic… Continue reading Cybercriminals hit malware authors with malicious NPM packages
I am using this command to add user to npm:
npm adduser
after I input the one-time password, it still did not work. this is the log output:
➜ js-wheel git:(main) ✗ npm adduser
npm notice Log in on https://registry.npmjs.org/
Username: de… Continue reading why the one-time password from your authenticator app not work when adduser for npm [migrated]
We’ve covered quite a few stories about malware sneaking into the NPN and other JavaScript repositories. This is a bit different. This time, a JS programmer vandalized his own packages. …read more Continue reading This Week in Security: NPM Vandalism, Simulating Reboots, and More