More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months — a rapid increase that showcases how npm has become a launchpad for a range of malicious activities.
New research from open-source security and management firm WhiteSource has discovered a disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any app using a malicious code block could be serving up data theft, cryptojacking, botnet delivery and more to its users.
Out of the malicious packages found, 14 percent were designed to steal sensitive information like credentials, while nearly 82 percent were performing “reconnaissance,” which involved adversaries actively or passively gathering information that can be used to support targeting, the firm said.
Read More: https://threatpost.com/malicious-npm-packages-web-apps/178137/