MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
npm
Recherche

Another npm supply-chain attack

mardi 16 septembre 2025, 15:51 , par LWN.net
The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly
downloads) was detected on npm as part of a broader supply chain
attack that impacted more than 40 packages spanning multiple
maintainers.

The compromised versions include a function
(NpmModule.updatePackage) that downloads a package
tarball, modifies package.json, injects a local script
(bundle.js), repacks the archive, and republishes it,
enabling automatic trojanization of downstream packages.

There is some more information in this
Krebs on Security article.
Lire la suite sur LWN.net
https://lwn.net/Articles/1038326/

Voir aussi

npm Self-propagating worm fuels latest npm supply chain compromise TheRegister16 Sep
attack Jaguar Land Rover supply chain workers must get Covid-style support, says union TheRegister15 Sep
packages 1,200 undergrads hung out to dry after jailbreak attack on laundry machines TheRegister12 Sep
downloads Beijing went to 'EggStreme' lengths to attack Philippines military, researchers say TheRegister11 Sep
another More packages poisoned in npm attack, but would-be crypto thieves left pocket change TheRegister 9 Sep
package Jaguar Land Rover Extends Shutdown After Cyber Attack Slashdot 8 Sep
supply-chain Drift massive attack traced back to loose Salesloft GitHub account TheRegister 8 Sep
npm Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack Slashdot 8 Sep
attack CISA sounds alarm over TP-Link wireless routers under attack TheRegister 8 Sep
packages Supermarket Giant Tesco Sues VMware, Warns Lack of Support Could Disrupt Food Supply Slashdot 3 Sep
downloads Trump launches attack on offshore wind BoingBoing 3 Sep
another Cloudflare Stops New World's Largest DDoS Attack Over Labor Day Weekend Slashdot 3 Sep
package Supermarket giant Tesco sues VMware, warns lack of support could disrupt food supply TheRegister 3 Sep
supply-chain WhatsApp warns of 'attack against specific targeted users' TheRegister 1 Sep
npm Beta Blockers for Heart Attack Survivors: May Have No Benefit for Most, Could Actually Harm Women Slashdot31 Aug
attack Wave of npm supply chain attacks exposes thousands of enterprise developer credentials InfoWorld28 Aug
packages Nx NPM packages poisoned in AI-assisted supply chain attack TheRegister27 Aug
downloads Google issued ‘State-backed attack in progress’ warnings after spotting web hijack scheme TheRegister27 Aug
another "Always fight back": Canadian man punches cougar in face to escape attack BoingBoing27 Aug
package ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries TheRegister26 Aug
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Date Actuelle
mar. 16 sept. - 23:28 CEST