The name npm (Node Package Manager) stems from when npm first was created as a package manager for Node.js.
Node.js is an open-source, cross-platform JavaScript runtime environment that allows developers to run JavaScript code outside of a browser. It is built on Chrome's V8 JavaScript engine, which makes it highly performant. Node.js is widely used for building servers, web applications, command-line tools, and scripts.
npm is the world's largest opens source software registry. The registry contains over 800,000 code packages for Node.js.
Novice developers just include open-source packages without doing any sort of security review, hence these kinds of attacks spread exponentially.
The Shai-Hulud malware is a self-replicating worm that targets the npm ecosystem, compromising hundreds of packages and exposing sensitive developer credentials.
At time of writing 27,000 malicious packages were infected, including Postman.
Postman package is a JavaScript library for a simple message bus, at time of writing has about ~750 downloads a week.
Source : Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub (bleepingcomputer.com)
From Dune, the sandworm aka Shai-Hulud
No comments:
Post a Comment