Techly NewsGet the app

Get the latest tech news

You too can run malware from NPM (I mean without consequences)


Contribute to naugtur/running-qix-malware development by creating an account on GitHub.

The stakes are not high enough to switch from phishing to anything more advanced (like https://xkcd.com/538/) but seeing article blurbs say "Supply chain Attack" next to "These packages generally receive 2-3 billion downloads per week." BTW, If the malware was written a little better to avoid detection and fail silently, the functionality of the app would be fully restored. In short, what it does is: it puts modules from every dependency in a separate lexical globl context that we call Compartment and only allows access to globals that the policy lists.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of malware

malware

Photo of npm

npm

Photo of consequences

consequences

Related news:

News photo

NPM debug and chalk packages compromised

News photo

“First of its kind” AI settlement: Anthropic to pay authors $1.5 billion | Settlement shows AI companies can face consequences for pirated training data.

News photo

Attackers snooping around Sitecore, dropping malware via public sample keys

« Exosens Seeks Acquisitions, Citing Demand for Night Vision Gear
DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware »