Hundreds of malware-laden fake npm packages posted online to try and trick developers

0
6


  • Criminals are adding hundreds of malicious packages to npm
  • The packages try to fetch a stage-two payload to infect the machines
  • The crooks went to lengths to hide where they host the malware

Software developers, especially those working with cryptocurrencies, are once again facing a supply chain attack via open source code repositories.

Cybersecurity researchers from Phylum have warned a threat actor has uploaded hundreds of malicious packages to the open source package repository npm. The packages are typosquatted versions of Puppeteer and Bignum.js. Developers who are in need of these packages for their products, might end up downloading the wrong version by mistake, since they all come with similar names.

LEAVE A REPLY

Please enter your comment!
Please enter your name here