Destructive malware available in NPM repo went unnoticed for 2 years

by
Dan Goodin
from Ars Technica - All content on (#6XFMD)

Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.

Eight packages using names that closely mimicked those of widely used legitimate packages contained destructive payloads designed to corrupt or delete important data and crash systems, Kush Pandya, a researcher at security firm Socket, reported Thursday. The packages have been available for download for more than two years and accrued roughly 6,200 downloads over that time.

A diversity of attack vectors

What makes this campaign particularly concerning is the diversity of attack vectors-from subtle data corruption to aggressive system shutdowns and file deletion," Pandya wrote. The packages were designed to target different parts of the JavaScript ecosystem with varied tactics."

Read full article

Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments