Techly NewsGet the app

Get the latest tech news

Snyk security researcher deploys malicious NPM packages targeting cursor.com


A security researcher at Snyk published 5 malicious software packages to the NPM registry. These packages appear to target Cursor.com

Even weirder, the names of those packages appeared to show they were targeting Cursor, the hot new AI coding company. You can see in this screen shot that the package is grabbing the output of a env command which will include many configuration options for your system. Often things like AWS keys, NPM tokens, GitHub credentials and other sensitive variables are exposed by the env command, so guess what?

Get the Android app

Or read this on Hacker News

Read more on:

Photo of npm

npm

Photo of Cursor.com

Cursor.com

Related news:

News photo

70% of new NPM packages in last 6 months were spam

News photo

Zed Editor automatically downloads binaries and NPM packages without consent

News photo

NPM and NodeJS should do more to make ES Modules easy to use

« Webtop – Alpine,Ubuntu,Fedora,and Arch containers containing full desktop envs
Voyage-code-3 »