Another npm supply-chain attack

by
corbet
from LWN.net on (#702Q0)
The Socket.dev blog describesthis week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weeklydownloads) was detected on npm as part of a broader supply chainattack that impacted more than 40 packages spanning multiplemaintainers.

The compromised versions include a function(NpmModule.updatePackage) that downloads a packagetarball, modifies package.json, injects a local script(bundle.js), repacks the archive, and republishes it,enabling automatic trojanization of downstream packages.

There is some more information in thisKrebs on Security article.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments