Duckdb, coveops/abi and more new packages discovered as compromised in the ongoing phishing campaign On September 8th, a malicious actor compromised the npm registry by publishing trojanized versions of 18 widely-used packages, after obtaining developers’ tokens in a phishing attack, as reported by Aikido. Massively popular packages such as “debug”, “chalk” and “ansi-styles” were compromised. …
Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate. The JFrog Security Research team regularly monitors open-source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential software …
The Breach: A High-Impact Compromise JounQin’s npm account, the maintainer of popular packages such as eslint-config-prettier, was compromised in a phishing attack. The attackers used the breached credentials to publish six malicious versions of eslint-config-prettier, along with three additional infected packages tied to the same account. In total, the compromised packages see roughly 78 million …
Several months ago, Darcy Clarke, a former Staff Engineering Manager at GitHub, discovered the “Manifest Confusion” bug in the npm ecosystem. The bug was caused by the npm registry not validating whether the manifest file contained in the tarball (package.json) matches the manifest data published to the npm server. Clarke claims this to be a …
A potential security risk in the npm ecosystem known as “manifest confusion” has recently been spotlighted in a blog post by Darcy Clarke, a former Staff Engineering Manager at GitHub. Clarke mentioned that JFrog Artifactory seems to replicate this issue, so of course we investigated it right away. In this post, we will explain what …
The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach. …
The simplest way to manage and organize your Node dependencies is with an npm repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the npm client. With the JFrog cloud …
1. If you are using several technologies, (e.g. Nuget, Maven, NPM, PyPi etc..) define a unique repository for each of them. By doing that you are making sure that all of the build requests are directed to the right place rather than going to a repository that may not even have the necessary packages. 2. …
The main reason for Node‘s explosive popularity is its thriving ecosystem. Likewise, it’s well understood that the main reason for that ecosystem’s growth is npm, Node’s package manager. npmjs.org usage has skyrocketed with statistics showing over 4 Million packages downloaded a day, and over 68,000 packages publicly available, and the numbers just keep going up. In fact, …
