Destructive malware available in NPM repo went unnoticed for 2 years

Destructive malware available in NPM repo went unnoticed for 2 years

Payloads were set to spontaneously detonate on specific dates with no warning.

Malware Lurks in NPM for 2 Years, Hits 6,000 Downloads

In a chilling revelation for the software development community, a destructive strain of malware lingered undetected in the widely used NPM repository for over two years, amassing more than 6,000 downloads before being identified. This incident, reported by Ars Technica, underscores the persistent vulnerabilities in open-source ecosystems, where trust in shared code can be exploited with devastating consequences. The malware, embedded in eight s…

Destructive Malware Available In NPM Repo Went Unnoticed For 2 Years

An anonymous reader quotes a report from Ars Technica: Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face. Eight packages using nam...

Destructive malware available in NPM repo went unnoticed for 2 years - WorldNL Magazine

Some of the payloads were limited to detonate only on specific dates in 2023, but in some cases a phase that was scheduled to begin in July of that year was given no termination date. Pandya said that means the threat remains persistent, although in an email he also wrote: “Since all activation dates have passed (June 2023–August 2024), any developer following normal package usage today would immediately trigger destructive payloads including sy…