Multiple crypto packages hijacked, turned into info-stealers
Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims ... Read More
Fake VS Code extension on npm uses altered ScreenConnect utility as spyware
A counterfeit 'Truffle for VS Code' extension, published on the npmjs registry, abuses the ConnectWise ScreenConnect remote desktop utility, allowing threat actors to compromise Windows systems that install the package ... Read More
Fake Solana packages target crypto devs, abuse Slack & ImgBB for data theft
Recently discovered malicious packages on the npmjs.com registry named "solanacore," "solana-login," and "walletcore-gen" target Solana crypto developers with Windows trojans and malware capable of keylogging and sensitive data exfiltration. Furthermore, these packages abuse Slack web hooks and ImgBB APIs to transfer collected data to external actors. Unlike previously discovered crypto-stealers ... Read More
npm packages from Rspack, Vant compromised, blocked by Sonatype
Fairly popular npm packages, @rspack/core and @rspack/cli were hijacked yesterday after attackers got their hands on a compromised npm token and published malicious versions 1.1.7 of these projects. These versions were promptly caught by Sonatype's automated malware detection systems and blocked for our customers using Nexus Repository Firewall ... Read More
Counterfeit ESLint and Node ‘types’ libraries downloaded thousands of times abuse Pastebin
The legitimate ESLint packages on the npmjs.com registry are called "typescript-eslint" and "@typescript-eslint/eslint-plugin." This has unscrupulous actors publishing a typosquat named "@typescript_eslinter/eslint" that very closely resembles the names of the real libraries, but is up to no good. The counterfeit component has been downloaded thousands of times. Similarly, attacks impersonated ... Read More
Fake IP checker utilities on npm are crypto stealers
Recently identified npm packages called "node-request-ip", "request-ip-check" and "request-ip-validator" impersonate handy open source utilities relied upon by developers to retrieve an external IP address but instead target Windows, Linux and macOS users with malicious executables which are trojans and cryptocurrency stealers ... Read More
Lottie Player compromised in supply chain attack — all you need to know
Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a span of a few hours. Understand what this threat means for your business and what you need to do ... Read More
Counterfeit Lodash attack leverages AnyDesk to target Windows users
npm packages identified by Sonatype recently are named similar to the vastly popular JavaScript library, lodash. These packages abuse typosquatting and carry within them a modified version of AnyDesk utility to target developers using the Windows OS ... Read More
‘Netfetcher’ package drops illicit ‘node’ binary on Windows
Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of these executables are called "node.exe" and even bear the NodeJS icon and metadata, making them evasive and easily ... Read More
Crypto enthusiasts flood npm with more than 281,000 bogus packages overnight
Crypto enthusiasts have lately been flooding software registries like npm and PyPI with thousands of bogus packages that add no functional value and instead put a strain on the entire open source ecosystem. A single instance, recorded by Sonatype in July 2024, saw 281,512 distinct packages appearing on the npmjs.com ... Read More
