• Contact Us
  • Login
Upgrade
Tech News Hero
Advertisement
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
Tech News Hero
No Result
View All Result
Home Security

Npm team warns of new ‘binary planting’ bug

by technewshero
December 13, 2019
in Security
0
Share on FacebookShare on Twitter
npm

Image: npm

The team behind npm, the biggest package manager for JavaScript libraries, has issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent “binary planting” attacks.

Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug — a combination between a file traversal and an arbitrary file (over)write issue.

The bug can be exploited by attackers to plant malicious binaries or overwrite legitimate apps on a user’s computer. What files can be written/planted is at the attacker’s whim, depending on what they’re trying to achieve.

The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI.

“However, as we have seen in the past, this is not an insurmountable barrier,” said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository.

No signs of attacks

Npm devs say they’ve been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases.

“That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the [official npm] registry,” npm devs said.

“We will continue monitoring,” they added. “However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.”

Besides npm, yarn, another package manager for JavaScript, is also affected. The bug was fixed in yarn with the release of yarn 1.21.1, earlier this week.

The npm and yarn teams credited German security researcher Daniel Ruf with discovering this vulnerability. An in-depth technical report is available on Ruf’s blog.

Npm’s importance in the JS ecosystem

However, the issue impacts npm users more than yarn. Npm is not only the biggest package management application for JavaScript, but it’s also the biggest package repository for any programming language, with more than 350,000 libraries.

JavaScript runs everywhere these days, from browsers to financial apps, and from desktops to servers. Because npm has such a central role in the JavaScript ecosystem, it has often been abused.

Hackers upload boobytrapped libraries on npm in the hopes legitimate projects will use them. They also hijack npm accounts of known developers and then plant malicious code inside popular libraries. The end goal is to launch attacks or plant backdoors inside apps built with the boobytrapped npm packages, which they can later use to steal data from those apps’ users.

There have been many such cases in the past. In July 2018, a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.

In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.

In August 2017, the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from other projects, in an attempt to collect project-sensitive information, such as passwords or API keys.

Cryptocurrency users are often targets

But while these past attacks targeted developers, recent attempts to backdoor npm packages have been aimed at cryptocurrency users. This is because JavaScript — and inherently npm — are used to build and power many of today’s web, mobile, and desktop-based cryptocurrency wallet apps.

Attackers often backdoor npm libraries or create boobytrapped clones, to plant their code inside wallets, and then steal user funds.

For example, in June this year, the npm found malicious code inside an npm package that was designed to steal cryptocurrency wallet seeds and other login passphrases specific to cryptocurrency apps. The library was used by a cryptocurrency startup that chose to hack itself before hackers could exploit the bug for themselves.

Another similar attack happened in November 2018 when hackers backdoored a npm package used by the Copay desktop and mobile wallet apps so they could steal bitcoins from its users.

The vulnerability patched today is dangerous enough to enable such attacks on developers of cryptocurrency wallets, and their respective users.

Ooops, all cryptocoin wallets based on Javascript are probably vulnerable to this simple wallet.dat theft vuln.

This is why you don’t use JS to secure your money. That is a really dumb idea. This is why $HUSH threw away our entire nodeJS GUI wallet.

JS has no place in wallets. https://t.co/uMbbpijGMb

— Duke Leto (@dukeleto) December 12, 2019

Previous Post

Hurry: the best cheap true wireless earbuds are less than $100 / £100

Next Post

How Facebook Lite Is Evolving to Keep Up With the Changing Smartphone and Telecom Landscape

technewshero

technewshero

Related Posts

2020 Shows the Danger of a Decapitated Cyber Regime
Security

2020 Shows the Danger of a Decapitated Cyber Regime

by technewshero
January 13, 2021
A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting
Security

A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting

by technewshero
January 14, 2021
The Worst Hacks of 2020, a Surreal Pandemic Year
Security

The Worst Hacks of 2020, a Surreal Pandemic Year

by technewshero
January 15, 2021
Security

How Your Digital Trails Wind Up in the Police’s Hands

by technewshero
December 31, 2020
How to Understand the Russia Hack Fallout
Security

How to Understand the Russia Hack Fallout

by technewshero
December 22, 2020
Next Post

How Facebook Lite Is Evolving to Keep Up With the Changing Smartphone and Telecom Landscape

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Most Popular

The best cheap gaming mouse deals in January 2020

January 1, 2020
Buy the Nintendo Switch for $299 and get 10% back from Amazon (Update: Expired)

Buy the Nintendo Switch for $299 and get 10% back from Amazon (Update: Expired)

January 15, 2021
Big Tech Firms on EU ‘Hit List’ Could Face Tougher Regulations: Report

Big Tech Firms on EU ‘Hit List’ Could Face Tougher Regulations: Report

December 13, 2020

Browse by Category

  • Apps
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • News
  • PC & Laptops
  • Security
  • Social
Tech News Hero

© 2020 Tech News Hero.

No Result
View All Result
  • Home
  • Landing Page
  • Buy JNews
  • Support Forum
  • Contact Us

© 2020 Tech News Hero.

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?