Updated on 2022-09-28: npm malware
Twenty-three JavaScript libraries were removed from the npm portal over the past two days after researchers found malware hidden in their code. See the list here.
Updated on 2022-09-23: Compromised npm Packages Affect Cryptocurrency Projects
Multiple npm packages used by cryptocurrency projects have been compromised and are installing information stealers. The compromised packages “were published from the npm account of a dYdX staff member and found to contain illicit code.”
Note
- Mitigations are known to prevent account takeover for your repository. Make sure that only your vetted code is committed. Make sure that you have visibility to all updates, then follow up on unexpected or oddly-timed updates.
Read more in
Overview
A threat actor compromised the npm account of a developer at cryptocurrency platform dYdX and published malicious code in two of the company’s JavaScript libraries—solo and perpetual.
The incident was first spotted by Polish security researcher Maciej Mensfeld, and the company acted within hours to secure its libraries.
Read more in
