- Mar 13, 2022
- 599
Last January, thousands of users of two popular open source libraries, "faker" and "colors," were shocked to see their applications breaking and showing gibberish data after being infected with a malicious package. And in October, a threat actor published 155 malicious packages to the npm repository in a typosquatting campaign targeting users of 18 legitimate packages, which, combined, typically see more than 1.5 billion weekly downloads. The attacker's goal? To download and install a backdoor password stealer/Trojan.
As the name implies, a malicious package is software that is created with malicious intent. What makes them particularly concerning is that they are remarkably easy to create. Useful for any number of malicious intentions, these packages are hard to avoid and to detect, unless you know what to look for.
Anatomy of a Malicious Package Attack
Malicious packages are hard to avoid and hard to detect — unless you know what to look for.
www.darkreading.com