前端圈突发!AntV、VS Code 插件同时被投毒!

今年不到半年时间,npm已经连续爆出多起重量级供应链攻击。 前段时间 axios被投毒, 随后 TanStack大面积污染, 而就在昨天,又连续爆出两起重量级供应链攻击: 大量 @antv相关 npm 包被植入恶意代码,涉及数百个包、数百个恶意版本。 恶意代码就会自动运行。 它还会尝试利用窃取到的 npm / GitHub权限继续传播恶意包。 是否存在最近升级的 AntV 相关异常版本。 相关访问 ...
IT News For Australia Business

'Protestware' npm package dependency labelled supply-chain attack

Russia's invasion of Ukraine has spilt over into developer-space, with a well-known npm maintainer adding "protestware" as a dependency to a very popular package. Security vendor Snyk is tracking what ...
Bleeping Computer

NPM supply-chain attack impacts hundreds of websites and apps

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As ...
Morning Overview on MSN

A new malicious npm package just got caught yanking files from users’ local disks — the ...

A malicious npm package tied to a campaign some observers have called “Malware-Slop” has been detected copying files from ...
CSOonline

Developer sabotages own npm module prompting open-source supply chain security questions

The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity. The developer of a popular JavaScript ...
InfoWorld

Safety in Node.js: NodeSource to certify NPM modules

NodeSource’s Certified Modules service, intended to ensure the safety of NPM modules, becomes generally available on Thursday. Previously available only in a private beta stage, the service for ...