On August 1, npm, Inc. revealed that recently they have eliminated about 40 JavaScript programming language packages that were caught stealing environment variables upon installation. "The package naming was both deliberate and malicious – the intent was to collect useful data from tricked users," npm explained.
According to npm, on July 19, a user named Hack Task uploaded 40 JavaScript packages that are identical to some popular npm packages names. These packages were downloaded approximately 700 times before they were removed. npm described that there were only about 50 real installations out of 700 and the remaining came from registry mirrors.
At first, a Swedish user informed npm via Twitter that a package with a name very similar to the cross-env package was engaged in suspicious activity. "If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment," npm advised.
Finally, npm banned the user Hack Task and reported that their developers are analyzing different approaches to prevent future occurrences of malicious typosquatting. "There are programmatic ways to detect this, and we might use them to block publication," explained in npm blog post. "We're using the Smyte service [a trust and safety SaaS offering] to detect spam as it is published to the registry, and will be experimenting with using it to detect other kinds of violations of our terms of service."
Source: NPM Official Blog
Leave a Reply
Your email address will not be published. Required fields are marked *