Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

#Breaking There's an active nodejs supply chain attack going around.

Ikke-kategoriseret

21 Indlæg 1 Posters 0 Visninger

N nullagent@partyon.xyz

And to be clear this is NOT an all clear just yet. Why?
1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)
https://partyon.xyz/@nullagent/115607663085751105
2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.
https://partyon.xyz/@nullagent/115607844583101135
So this is a smoldering fire still and we need to stay vigilant.
#Sha1Hulud #WalkWithoutRhythm
N This user is from outside of this forum
N This user is from outside of this forum
nullagent@partyon.xyz

wrote sidst redigeret af

#21

These sorts of NPM worms have been around for a LONG time.
It's typically due a common practice of low 2fa opt-in on NPM accounts.
So be sure to setup NPM 2FA if you're a package maintainer do that asap!
A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts.
https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability
#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript
1 Reply Last reply
1
0
P pelle@veganism.social shared this topic