Select Page

Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines.

It’s, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers.

“This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files,” SonarSource researcher Paul Gerste said. “But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?”

Package managers refer to systems or a set of tools that are used to automate installing, upgrading, configuring third-party dependencies required for developing applications.

While there are inherent security risks with rogue libraries making their way to package repositories – necessitating that the dependencies are properly scrutinized to protect against typosquatting and dependency confusion attacks – the “act of managing dependencies is usually not seen as a potentially risky operation.”

images from Hacker News