npm

Pierluigi Paganini November 23, 2020
Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

Sonatype’s deep dive research allowed to identify a new family of Discord malware called CursedGrabber. Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem. The malware called “xpc.js” […]

Pierluigi Paganini August 30, 2020
Malicious npm package ‘fallguys’ removed from the official repository

The npm security team removed a malicious JavaScript library from the npm repository that was designed to steal sensitive files from the victims. The npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and […]

Pierluigi Paganini December 16, 2019
Experts found binary planting and arbitrary file overwrite flaws in NPM

NPM, the biggest package manager for JavaScript libraries, has addressed a vulnerability that could be exploited to execute “binary planting” attacks. NPM maintainers have addressed a vulnerability that could allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed, so-called “binary planting” attacks. The vulnerability […]

Pierluigi Paganini July 15, 2019
The npm installer for PureScript package has been compromised

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript. The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code. Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its […]