• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages

You are here: Home / General Cyber Security News / NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages
April 27, 2022

NPM package manager

A “logical flaw” has been disclosed in NPM, the default deal manager for the Node.js JavaScript runtime atmosphere, that allows malicious actors to pass off rogue libraries as authentic and trick unsuspecting developers into setting up them.

The supply chain threat has been dubbed “Package Planting” by researchers from cloud security firm Aqua. Pursuing responsible disclosure on February 10, the fundamental issue was remediated by NPM on April 26.

✔ Approved Seller From Our Partners
Malwarebytes Premium 2022

Protect yourself against all threads using Malwarebytes. Get Malwarebytes Premium with 60% discount from a Malwarebytes official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


CyberSecurity

“Up right until just lately, NPM authorized adding everyone as a maintainer of the package devoid of notifying these end users or obtaining their consent,” Aqua’s Yakir Kadkoda explained in a report released Tuesday.

This effectively meant that an adversary could develop malware-laced offers and assign them to dependable, well-liked maintainers without their know-how.

The idea here is to insert credible homeowners related with other preferred NPM libraries to the attacker-controlled poisoned offer in hopes that performing so would entice developers into downloading it.

The outcomes of these types of a source chain attack are significant for a range of good reasons. Not only does it give a fake sense of have faith in amongst developers, it could also inflict reputational damage to respectable deal maintainers.

CyberSecurity

The disclosure will come as Aqua uncovered two extra flaws in the NPM system similar to two-factor authentication (2FA) that could be abused to aid account takeover attacks and publish destructive deals.

“The main dilemma is that any npm user can carry out this and insert other NPM people as maintainers of their own package deal,” Kadkoda mentioned. “At some point, developers are responsible for what open resource deals they use when making applications.”

Discovered this posting fascinating? Follow THN on Facebook, Twitter  and LinkedIn to read additional special written content we post.


Some parts of this write-up are sourced from:
thehackernews.com

Previous Post: «microsoft discovers new privilege escalation flaws in linux operating system Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages
  • Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System
  • Data Breach Disrupts UK Army Recruitment
  • Emotet Tests New TTPs
  • Siloed Tech Prompts Security Worries
  • Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default
  • Firms Push for CVE-Like Cloud Bug System
  • DDoS attacks surge to record numbers in 2022 as a result of Russia-Ukraine war
  • Microsoft’s secure VBA macro rules already being bypassed by hackers
  • The state of email security 2022

Copyright © TheCyberSecurity.News, All Rights Reserved.