More Malicious NPM Packages
Malicious NPM libraries found in an open source repository appear to have been created to steal Discord access tokens and take control of infected systems. The libraries have been taken down.
In the 2021 SANS New Threats and Attacks report, Ed Skoudis highlighted “dependency confusion” attacks as part of the overall software supply chain security issue. Like everything related to supply chain security, there are multiple areas that must be addressed – package manager configuration, software asset inventory, file integrity management, in addition to nascent efforts are having accurate and meaningful Software Bills of Material.
NPM is not the only repository being hit with malicious package versions, the PyPi (Python) and RubyGems (Ruby) repositories have also been hit. Make sure that your CI process includes only including vetted versions of packages, then check to make sure none of your vetted versions are listed as compromised.