|
|
|
|
|
|
by arkadiyt
3218 days ago
|
|
|
There was recently a fiasco with NPM over a malicious node package whose name was an intentional typo of a popular package, and upon installation it exfiltrated all environment variables:
https://twitter.com/o_cee/status/892306836199800836 After this got uncovered, Duo published a blog post where they scanned for and found several others malicious packages: https://duo.com/blog/hunting-malicious-npm-packages The last one they talk about worms itself by adding itself to any packages authored on the computer it's installed on. These issues are not unique to npm. |
|
|