Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Destructive Malware Available In NPM Repo Went Unnoticed For 2 Years

Link: https://yro.slashdot.org/story/25/05/22/20122...

An anonymous reader quotes a report from Ars Technica: Researchers have found
malicious software that received more than 6,000 downloads from the NPM
repository over a two-year span, in yet another discovery showing the hidden
threats users of such open source archives face. Eight packages using names
that closely mimicked those of widely used legitimate packages contained
destructive payloads designed to corrupt or delete important data and crash
systems, Kush Pandya, a researcher at security firm Socket, reported
Thursday. The packages have been available for download for more than two
years and accrued roughly 6,200 downloads over that time. "What makes this
campaign particularly concerning is the diversity of attack vectors -- from
subtle data corruption to aggressive system shutdowns and file deletion,"
Pandya wrote. "The packages were designed to target different parts of the
JavaScript ecosystem with varied tactics." [...] Some of the payloads were
limited to detonate only on specific dates in 2023, but in some cases a phase
that was scheduled to begin in July of that year was given no termination
date. Pandya said that means the threat remains persistent, although in an
email he also wrote: "Since all activation dates have passed (June 2023-
August 2024), any developer following normal package usage today would
immediately trigger destructive payloads including system shutdowns, file
deletion, and JavaScript prototype corruption." The list of malicious
packages included js-bomb, js-hood, vite-plugin-bomb-extend, vite-plugin-
bomb, vite-plugin-react-extend, vite-plugin-vue-extend, vue-plugin-bomb, and
quill-image-downloader.

Read more of this story at Slashdot.

---
VRSS v2.1.180528