Monday, December 16, 2019

Node Package Manager (NPM) Client hacked

NPM (originally short for Node Package Manager) is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. 

Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue.

The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a booby-trapped npm package via the npm CLI.

Source (Dec 11, 2019) : https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

No comments:

Post a Comment