GitHub pulls pin on npm's auto-run scripts
Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors
Yasna brings together recent headlines from selected sources and makes them easier to sort with tags, filters, and search.
Search across headline titles and summaries.
Weekly headline count for the current query.
Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors
Trojanized npm packages spread new variant that executes in pre-install phase, hitting thousands within days A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.…
Hundreds of compromised packages pulled as registry shifts to 2FA and trusted publishing GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.…
Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon Nx is the latest target of a software supply chain attack in the NPM ecosystem, with multiple malicious versions being uploaded to the NPM registry on Tuesday evening.…
Publishing provenance possibly prevents problems Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin.…
LofyLife campaign comes amid GitHub security lockdown Cybercriminals continue to use npm packages to drop malicious packages on unsuspecting victims, most recently to steal Discord login tokens, bank card data, and other user information from infected systems.…
Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100,000 users were grabbed by the baddies GitHub has revealed it stored a "number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems.…
Campaign to coax GitHub-owned outfit to improve security starts showing results Special report Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security.…