Select Page

A “logical flaw” has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them.

The supply chain threat has been dubbed “Package Planting” by researchers from cloud security firm Aqua. Following responsible disclosure on February 10, the underlying issue was remediated by NPM on April 26.

“Up until recently, NPM allowed adding anyone as a maintainer of the package without notifying these users or getting their consent,” Aqua’s Yakir Kadkoda said in a report published Tuesday.

This effectively meant that an adversary could create malware-laced packages and assign them to trusted, popular maintainers without their knowledge.

images from Hacker News