"This is a major security crisis for anyone who programs in JavaScript and the JavaScript runtime environment . JavaScript, by the way, is one of the most popular programming languages. This supply chain attack hits pretty much all JavaScript developers. That's because Node Package Manager (npm) is JavaScript's default package manager and software registry. It enables developers to install, manage, and share packages -- prebuilt pieces of reusable code called modules -- that their JavaScript or Node.js projects depend on."
"Npm also has a horrible security track record. Month after month, year after year, hackers have successfully inserted malicious code into npm modules. This, in turn, means that corrupted code is automatically introduced into JavaScript-based programs used by end users. The most recent example of this was a week ago, when a phishing attack compromised 18 packages that were downloaded two billion times a week."
A major security crisis threatens anyone who programs in JavaScript and the JavaScript runtime environment. Node Package Manager (npm) serves as JavaScript's default package manager and the largest open-source package registry, enabling installation, management and sharing of reusable modules. Npm has a poor security history, with hackers repeatedly inserting malicious code into packages, which then propagates corrupted code into JavaScript-based programs. A recent phishing compromise affected 18 packages downloaded billions of times, and the Shai-Hulud software supply-chain worm remains ongoing. Software supply-chain attacks insert malicious code into components during development and exploit trusted third-party vendors, libraries, or tools to impact many victims simultaneously.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]