BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Invisible malicious NPM packages


    The npm CLI tool has a very convenient and effective mechanism for protecting against vulnerable packages - automatic package verification during installation (using npm install), which can be run manually using the npm audit command. However, researchers at JFrog found that this protection mechanism can be easily bypassed by adding a hyphen to the package version (for example, 1.2.3-a), which is usually used to indicate a pre-release package. This is because the Bulk Advisory endpoint is unable to obtain security advisories for packages whose version contains a hyphen (-) followed by additional characters.

    While the maintainers of the project consider adding a hyphen to the name as a necessary piece of functionality to distinguish between normal and pre-release versions of packages, this opens up a new attack vector for attackers who seek to attack users of the npm ecosystem. Hackers can exploit this loophole by deliberately embedding vulnerable or malicious code into packages of useful functionality that unsuspecting developers can then install, the researchers say.

    As an example, the researchers cited the cruddl package, which had a critical vulnerability (CVE-2022-36084) in one of its previous versions. When installing this version of the CLI, npm warns the developer that the package contains a critical vulnerability.

    However, if you try to install a pre-release version of cruddl 2.0.0 CLI, npm will not display any warning, even though this version of the package is also affected.

    At the conclusion of the report, JFrog recommended that developers and DevOps engineers should never install pre-release npm packages unless they are sure the source is 100% reliable. It is worth noting that even in this case, it is recommended to revert to a non-preview version of the package as soon as possible.

    Author DeepWeb
    Samsung and LG certificates used to sign malicious apps
    Psychedelic truths for beginners for a comfortable LSD trip

    Comments 0

    Add comment