Techly NewsGet the app

Get the latest tech news

Destructive malware available in NPM repo went unnoticed for 2 years


Payloads were set to spontaneously detonate on specific dates with no warning.

Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face. Deleting files related to Vue.js, a front-end JavaScript framework for building user interfaces and webpage apps, using commands that were written for both Windows and Linux Corrupting core JavaScript functions with random data Corrupting all browser storage mechanisms with an advanced three-file attack that broke “authentication tokens, user preferences, shopping carts, and application state while creating hard-to-diagnose intermittent failures that persist[ed] through page refreshes” “Multi-Phase System Attacks” that deleted Vue.js framework files and forced system shutdowns Pandya said that means the threat remains persistent, although in an email he also wrote: “Since all activation dates have passed (June 2023–August 2024), any developer following normal package usage today would immediately trigger destructive payloads including system shutdowns, file deletion, and JavaScript prototype corruption.”

Get the Android app

Or read this on ArsTechnica

Read more on:

Photo of years

years

Photo of destructive malware

destructive malware

Photo of npm

npm

Related news:

News photo

House passes budget bill that inexplicably bans state AI regulations for ten years

News photo

That fractal that's been up on my wall for years

News photo

BUDGET bill passed by house last night does include a sneaky moratorium on AI regulation for 10 years.

« Engineers and AI: ramblings of a small startup founder
Klarna CEO and Sutter Hill take victory lap after Jony Ive’s OpenAI deal »