Updated on 2022-09-28: npm malware
Twenty-three JavaScript libraries were removed from the npm portal over the past two days after researchers found malware hidden in their code. See the list here.
Updated on 2022-09-23: Compromised npm Packages Affect Cryptocurrency Projects
Multiple npm packages used by cryptocurrency projects have been compromised and are installing information stealers. The compromised packages “were published from the npm account of a dYdX staff member and found to contain illicit code.”
Note
- Mitigations are known to prevent account takeover for your repository. Make sure that only your vetted code is committed. Make sure that you have visibility to all updates, then follow up on unexpected or oddly-timed updates.
Read more in
Overview
A threat actor compromised the npm account of a developer at cryptocurrency platform dYdX and published malicious code in two of the company’s JavaScript libraries—solo and perpetual.
The incident was first spotted by Polish security researcher Maciej Mensfeld, and the company acted within hours to secure its libraries.
☠️ [PLEASE SHARE] If you use @dydx
@npmjs packages, DO NOT update them to the latest versions as they were compromised: https://t.co/TDjBIQxwLihttps://t.co/9R3vRLJTU3They exfiltrate credentials and steal sensitive data!#javascript #supplychain #cybersecurity #opensource pic.twitter.com/TDtrylumMK
— Maciej Mensfeld (@maciejmensfeld) September 23, 2022
At 6:14AM EST, we identified malicious versions published to a number of dYdX NPM packages that were quickly removed.
🔒 All funds are SAFE
✅ Our websites/apps have NOT been compromised
✅ The attack did NOT impact smart contractsWe will follow up with a post mortem asap
— dYdX (@dYdX) September 23, 2022
Read more in
