top

NPM Removes Malicious JavaScript Packages From The NPM Registry

On August 1, npm, Inc. revealed that recently they have eliminated about 40 JavaScript programming language packages that were caught stealing environment variables upon installation. "The package naming was both deliberate and malicious – the intent was to collect useful data from tricked users," npm explained. According to npm, on July 19, a user named Hack Task uploaded 40 JavaScript packages that are identical to some popular npm packages names. These packages were downloaded approximately 700 times before they were removed. npm described that there were only about 50 real installations out of 700 and the remaining came from registry mirrors. At first, a Swedish user informed npm via Twitter that a package with a name very similar to the cross-env package was engaged in suspicious activity. "If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment," npm advised. Finally, npm banned the user Hack Task and reported that their developers are analyzing different approaches to prevent future occurrences of malicious typosquatting. "There are programmatic ways to detect this, and we might use them to block publication," explained in npm blog post. "We're using the Smyte service [a trust and safety SaaS offering] to detect spam as it is published to the registry, and will be experimenting with using it to detect other kinds of violations of our terms of service." Source: NPM Official Blog
Rated 4.0/5 based on 20 customer reviews
Normal Mode Dark Mode

NPM Removes Malicious JavaScript Packages From The NPM Registry

Geneva Clark
What's New
16th Aug, 2017
NPM Removes Malicious JavaScript Packages From The NPM Registry

On August 1, npm, Inc. revealed that recently they have eliminated about 40 JavaScript programming language packages that were caught stealing environment variables upon installation. "The package naming was both deliberate and malicious – the intent was to collect useful data from tricked users," npm explained.

According to npm, on July 19, a user named Hack Task uploaded 40 JavaScript packages that are identical to some popular npm packages names. These packages were downloaded approximately 700 times before they were removed. npm described that there were only about 50 real installations out of 700 and the remaining came from registry mirrors.

At first, a Swedish user informed npm via Twitter that a package with a name very similar to the cross-env package was engaged in suspicious activity. "If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment," npm advised.

Finally, npm banned the user Hack Task and reported that their developers are analyzing different approaches to prevent future occurrences of malicious typosquatting. "There are programmatic ways to detect this, and we might use them to block publication," explained in npm blog post. "We're using the Smyte service [a trust and safety SaaS offering] to detect spam as it is published to the registry, and will be experimenting with using it to detect other kinds of violations of our terms of service."

Source: NPM Official Blog

Geneva

Geneva Clark

Blog Author
Geneva specializes in back-end web development and has always been fascinated by the dynamic part of the web. Talk to her about modern web applications and she and loves to nerd out on all things Ruby on Rails.

Leave a Reply

Your email address will not be published. Required fields are marked *

SUBSCRIBE OUR BLOG

Follow Us On

Share on

other Blogs