Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package (bleepingcomputer.com)

Catalin Cimpanu, reporting for BleepingComputer: The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular — albeit deprecated — JavaScript package. The actual backdoor mechanism was found in “getcookies,” a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team — which analyzed this package earlier today after reports from the npm community — says “getcookies” contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library.

Powered by WPeMatico