Security News JavaScript Packages Caught Stealing Environment Variables (biggest JavaScript package repository)

[LASER_oneXM]

On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.

According to a subsequent investigation by npm's team, on July 19, a person named HackTask uploaded 38 JavaScript libraries on the npm repository.

Developers who used any of these packages within their projects are advised to change any passwords or access tokens they stored in their configurations.

Typo-squatting attacks are also common on Google's Chrome Web Store and Android Play Store, where malicious actors often copy popular Chrome extensions or Android apps, add malicious code, and re-upload the content on the official store with names similar to the originals.