The Npm team recently issued a security alert advising all users to update to the latest version (6.13.4) to prevent “binary implant” attacks. Npm developers say the npm command line interface (CLI) client is affected by a security vulnerability that includes file traversal and arbitrary file (overwriting) writes. An attacker could use the error to implant malicious binary files or overwrite files on a user’s computer.
This vulnerability can only be exploited during the installation of an infected npm package through the npm CLI.
Currently, the Npm team has been scanning for malware packages that may be designed to exploit this bug, and has not found any suspicious cases. They think this does not guarantee that the bug has been used, or that you should be vigilant. The team said it would continue monitoring, “but we can’t scan all possible npm package sources (private registry, mirror, git repository, etc.), so it’s important to update as soon as possible.” ”
The latest vulnerability was first discovered by Daniel Ruf, a German security researcher, who has more in-depth technical reports on his blog. Finally, remind users again to upgrade to the latest version to avoid attack.