- An official of the popular NPM has become the prey of a phishing attack, sharing information to connect with cybercriminals
- The attackers acceded to their NPM account and pushed malware via a popular package
- They were deleted six hours later, but users should still be cautious
Experts have warned that “IS”, an NPM package with more than 2.8 million weekly downloads, was also compromised in the same way and served malware for about six hours.
This occurs shortly after Eslint-Config-Prettier, another Popular NPM package, was recently compromised in a supply chain attack which has served malware, after its maintainer, Jounqin, received an e-mail that has usurped the account of [email protected], asking them to “check” their account which, when they did the attackers faithful.
Access was used to push the installation versions 8.10.1, 9.1.1, 10.1.6 and 10.1.7 of the ESLINT-Config-Prettier package, which transported malicious software. The other compromise packages belonging to the same developer include Eslint-Plugin-Prettier, Synckit, @ Pkgr / Core and Napi-Postinstall.
Rays and infostelars
Now, new reports say that John Harband, IS support, “has also been compromised in the same way. The attackers maintained access for about six hours, during which they pushed versions 3.3.1 to 5.0.0, which contained malicious code.
“IS” is a light Javascript utility library which essentially helps to check the type of value something.
For example, he can tell you if something is a number, a list or a word. He can also check if something is empty or if two things are the same.
It is simple, but rather popular, to be widely used as dependence on low -level public services in development tools, test libraries, construction systems and Backend and CLI projects.
The malicious software deployed via these packages was a web -based stolen door which granted the dissemination of attachment to attackers on compromise termination points. The ESLInt One also abandoned Scavanger, an infosteller striking data stored in the web browser.
Via Bleeping Compompute
