SBN

Remember npm library ‘colors’? There’s no such thing as ‘colors-2.0’

The popular npm package, ‘colors’ made headlines earlier this year when its dev Marak Squires had sabotaged the component by adding an infinite loop to it, printing zalgo text incessantly for everyone using the dependency.

‘colors’ is used heavily, raking in 20 million weekly downloads on npm alone, and has around 19,000 open source projects relying on it. And that explains why threat actors would attempt to typosquat it.

Sonatype’s automated detection systems, offered as part of Nexus Firewall, have spotted the following malicious npm packages this time:

These packages are tracked as sonatype-2022-1497, sonatype-2022-1501, sonatype-2022-1504, and sonatype-2022-1476 in our security vulnerability data.

To a casual observer, colors-2.0, colors-3.0, and other few may appear to be “newer” versions of the ‘colors’ library when that’s far from the case. These packages are tactfully named in a manner that may confuse a novice developer into mistaking them for the latest versions of official ‘colors.’

Last year, PyPI took down mitmproxy2—a fork of the original ‘mitmproxy’ package with an “artificially introduced” code execution vulnerability that could, once again, cause confusion and lead to developers adopting the less-secure mitmproxy2 as opposed to the official package under the false assumption they were on the later version of the package.

It is worth noting, in November 2021, months before the news of Squires corrupting his own ‘colors’ library emerged, a ‘colors-2.0.0’ and ‘colors-2.0’ (notice the dash) were also published in an identical typosquatting attack by an author, and later removed by npm. 

In the case of ‘colors-XX’ typosquats, these packages contain legitimate files borrowed from ‘colors’—except the ‘lib/colors.js’ file that contains heavily obfuscated and minified JavaScript code.

Minified JS has legitimate use-cases as it (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/remember-npm-library-colors-theres-no-such-thing-as-colors-2.0