Npm team warns of new ‘binary implant’ errors

The Npm team recently issued a security alert advising all users to update to the latest version (6.13.4) to prevent “binary implant” attacks. Npm developers say the npm command line interface (CLI) client is affected by a security vulnerability that includes file traversal and arbitrary file (overwriting) writes. An attacker could use the error to implant malicious binary files or overwrite files on a user’s computer.

This vulnerability can only be exploited during the installation of an infected npm package through the npm CLI.

Currently, the Npm team has been scanning for malware packages that may be designed to exploit this bug, and has not found any suspicious cases. They think this does not guarantee that the bug has been used, or that you should be vigilant. The team said it would continue monitoring, “but we can’t scan all possible npm package sources (private registry, mirror, git repository, etc.), so it’s important to update as soon as possible.” ”

Npm team warns of new 'binary implant' errors

In addition to npm, another JavaScript package manager, yarn, is also affected. Earlier this week, with the release of yarn 1.21.1, this bug was fixed in yarn.

In contrast, this issue has a greater impact on npm users than on yarn. Because npm is not only the largest JavaScript package management application, but also the largest repository of all programming languages, with more than 350,000 libraries. From browsers to financial applications, desktops to servers, JavaScript is everywhere today. Because npm plays such an important role in the JavaScript ecosystem, it is often abused.

The ultimate goal of a hacker is to launch an attack or implant a backdoor program within an application built with an infected npm package that can later be used to steal data from its users. There have been many such cases in the past. In August 2017, the npm team deleted 38 JavaScript npm packages that were captured by stealing environment variables from other projects to collect project-sensitive information, such as passwords or API keys.

The latest vulnerability was first discovered by Daniel Ruf, a German security researcher, who has more in-depth technical reports on his blog. Finally, remind users again to upgrade to the latest version to avoid attack.

Add a Comment

Your email address will not be published. Required fields are marked *