Earlier this week, Azer Koçulu decided to unpublish his modules from npm, the default package manager for Node.js. He had published 273 modules in total.
Some major modules, like Babel and React, relied on one of them: left-pad, and a lot of npm…
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in the form…
Recently, eslint-scope and eslint-config-eslint packages were hacked in an interesting way - one of the maintainer's account was compromised by an attacker and a new "patch" version with the malicious code was published to the npm registry.
This…
I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency.
But from a research prospective, I want to know whether a vulnerability in development…
lodash has been reported to be vulnerable to the so called prototype pollution attack in versions up to (excluding) 4.17.5
See https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Now lodash is the most depended upon package in the JavaScript eco system.…
On various security forums I have seen links to a post about a fictive malicious NPM package harvesting information. The posts title:
I’m harvesting credit card numbers and passwords from your site.
Here’s how.
The best quote in the post in my…
I'm new to hybrid app development and web development in general. Are there common coding practices/techniques I can use to ensure that I write code which does not put the end user at risk of malicious software exploiting my app to cause harm?
How…
I had a typo and npm installed something that is similar in name to something very popular -- I was concerned about typosquatting. It's quite plausibly legitimate and just a coincidence. I looked at the corresponding package and didn't see…
When installing a Node.js package via npm or when running npm-audit I get information about known vulnerabilities of packages in the project. From my understanding this means that there must be some database somewhere that contains this…
When checking third party libraries used in package.json and build.gradle files with tools such as Snyk, they allow the option to check for devdependencies. A lot of the time there is vulnerabilities for these dependencies. But if they are not…
So beyond looking at the source code for particular software library, is there a way to vet that it does not contain malicious code? As far as I know from my own research, services like pip, npm, and composer do not provide any assurances(Not that I…
React, and it's application creation script, create-react-app, are popular packages nowadays... and with good reason: React is a rock-star framework.
From a security perspective, sanitizing all the packages that create-react-app installs seems to be…
I have not been able to find a single page that actually explains how npm’s
ECDSA signing system works.
The closest I could find is the official documentation, but as far as I can
tell from that documentation, this system is completely useless: a…
TL;DR: running npm i ... not long after pass my-password allows a malicious package to steal my entire password store.
I use pass as a password manager, on Linux. And like probably all Linux users, I use sudo to run commands as root.
The first time…