Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.

Eight packages using names that closely mimicked those of widely used legitimate packages contained destructive payloads designed to corrupt or delete important data and crash systems, Kush Pandya, a researcher at security firm Socket, reported Thursday. The packages have been available for download for more than two years and accrued roughly 6,200 downloads over that time.

A diversity of attack vectors

“What makes this campaign particularly concerning is the diversity of attack vectors—from subtle data corruption to aggressive system shutdowns and file deletion,” Pandya wrote. “The packages were designed to target different parts of the JavaScript ecosystem with varied tactics.”

Read full article

Comments