Pierluigi Paganini
November 16, 2021
Maintainers of the npm package manager for the JavaScript programming language disclosed multiple flaws that were recently addressed. GitHub disclosed two major vulnerabilities in the npm that have been already addressed. The first vulnerability can be exploited by an attacker to publish new versions of any npm package using an account without proper authorization. The flaw was reported by […]
Pierluigi Paganini
October 23, 2021
The U.S. CISA warned of crypto-mining malware hidden in a popular JavaScript NPM library, named UAParser.js, which has millions of weekly downloads. The U.S. Cybersecurity and Infrastructure Security Agency published an advisory to warn of the discovery of a crypto-mining malware in the popular NPM Package UAParser.js. The popular library has million of weekly downloads. “Versions of a popular […]
Pierluigi Paganini
September 14, 2021
Experts found a critical flaw, tracked as CVE-2021-23406, in the popular NPM package ‘Pac-Resolver‘ that has millions of downloads every week. The development team behind a popular NPM package called ‘Pac-Resolver‘ for the JavaScript programming language fixed a high-severity remote code execution vulnerability tracked as CVE-2021-23406. The vulnerability can be exploited by remote attackers to run […]
Pierluigi Paganini
December 01, 2020
npm security staff removed two packages that contained malicious code to install the njRAT remote access trojan (RAT) on developers’ computers. Security staff behind the npm repository removed two packages that were found containing the malicious code to install the njRAT remote access trojan (RAT) on computers of JavaScript and Node.js developers who imported and […]
Pierluigi Paganini
November 23, 2020
Sonatype’s deep dive research allowed to identify a new family of Discord malware called CursedGrabber. Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem. The malware called “xpc.js” […]
Pierluigi Paganini
August 30, 2020
The npm security team removed a malicious JavaScript library from the npm repository that was designed to steal sensitive files from the victims. The npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and […]
Pierluigi Paganini
December 16, 2019
NPM, the biggest package manager for JavaScript libraries, has addressed a vulnerability that could be exploited to execute “binary planting” attacks. NPM maintainers have addressed a vulnerability that could allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed, so-called “binary planting” attacks. The vulnerability […]
Pierluigi Paganini
July 15, 2019
It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript. The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code. Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its […]
Data Breach / September 12, 2025
Cyber Crime / September 11, 2025
