Techly NewsGet the app

Get the latest tech news

NPM Users Download 2.1B Deprecated Packages Weekly, Say Security Researchers


The cybersecurity site SC Media reports that NPM registry users "download deprecated packages an estimated 2.1 billion times weekly, according to a statistical analysis of the top 50,000 most-downloaded packages in the registry." Deprecated, archived and "orphaned" NPM packages can contain unpatche...

Deprecated, archived and "orphaned" NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them, warned the researchers from Aqua Security's Team Nautilus, who published their findings in a blog post on Sunday... As the researchers pointed out, not all developers are transparent about potential risks to users who download or depend on their outdated NPM packages. By archiving the repository without fixing the security flaw or assigning it a CVE, the owner leaves developers of dependent projects in the dark about the risks, the researchers said...

Get the Android app

Or read this on Slashdot

Read more on:

Photo of security researchers

security researchers

Photo of npm

npm

Photo of npm users

npm users

Related news:

News photo

Security researchers observed ‘deliberate’ takedown of notorious Mozi botnet

News photo

SSH keys stolen by stream of malicious PyPI and npm packages

News photo

Google: State hackers attack security researchers with new zero-day

« The latest Apple Watch SE is matching its lowest price to date this weekend
Ultra-Large Structure Discovered In Distant Space Challenges Cosmological Principle »