Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach. …

8 Steps to npm Registry

How to set up a Private, Remote and Virtual npm Registry

The simplest way to manage and organize your Node dependencies is with an npm repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the npm client. With the JFrog free …

Exclude Patterns in Remote Repositories

Yet Another Case for Using Exclude Patterns in Remote Repositories: Namespace Shadowing (a.k.a. “Dependency Confusion”) Attack

Update: June 1, 2021. You asked, we delivered! Even easier protection against dependency confusion attacks! Read more — Going Beyond Exclude Patterns: Safe Repositories With Priority Resolution. TL;DR The npm Registry is vulnerable to supply chain namespace shadowing, also known as “Dependency Confusion” attacks. Make sure you create npm scoped packages and force exclude patterns. Long-time …

How not to care about unpublishgate

So, you all heard about #npmgate a.k.a. #unpublishgate. Azer removed left-pad from the official npm registry and all hell broke loose. Most of npm builds in the world are failing today because a tiny (17 lines of js code!), but very popular library was obliterated from a central repository  (which teaches us a lesson about …

4 best practices in repository configuration

1. If you are using several technologies, (e.g. Nuget, Maven, NPM, PyPi etc..) define a unique repository for each of them. By doing that you are making sure that all of the build requests are directed to the right place rather than going to a repository that may not even have the necessary packages. 2. …

Private npm Registry With Artifactory

The main reason for Node‘s explosive popularity is its thriving ecosystem. Likewise, it’s well understood that the main reason for that ecosystem’s growth is npm, Node’s package manager. npmjs.org usage has skyrocketed with statistics showing over 4 Million packages downloaded a day, and over 68,000 packages publicly available, and the numbers just keep going up. In fact, …