神刀安全网

Alert: NPM modules hijacked

With the recent Module liberation there was a malicious activity that was spotted with hijacking the names of the modules.

For example https://github.com/mattdesl/install-if-needed/pull/2 .

The "hijacked modules" look like this :

node_modules/dom-classes$ ls -la total 12 drwxr-xr-x 5 drinchev admin  170 Mar 23 11:59 . drwxr-xr-x 4 drinchev admin  136 Mar 23 11:59 .. -rw-r--r-- 1 drinchev admin 1561 Mar 23 11:59 package.json -rw-r--r-- 1 drinchev admin 3186 Mar 23 01:43 x -rwxr-xr-x 1 drinchev admin  246 Mar 23 01:45 x.sh

and the content of the files is suspicious

node_modules/dom-classes$ cat x.sh  A="$1"   echo '{    "name": "'"$A"'",    "version": "2.0.0",    "description": "",    "main": "index.js",    "scripts": {      "test": "echo /"Error: no test specified/" && exit 1"    },    "author": "",    "license": "ISC"  }' > package.json   npm publish node_modules/dom-classes$

Since those modules are popular I suggest everyone check their dependencies ( especially on private projects ), before even pass them to their CI.

Some of the modules are published by the user @nj48 . You can find the list in the link.

Even though the modules are bumped with a semver major ( will not be installed with ~1.0 in your package.json ), there is a high chance people upgrade accidentally.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Alert: NPM modules hijacked

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮