Notable Security Incidents
Collection of security incidents that happened in the Node.js, JavaScript and npm related communities from lirantal/awesome-nodejs-security
- EasyDEX-GUI - malicious code found in npm package event-stream. References: npm, snyk, komodo announcement
- event-stream - malicious code found in npm package event-stream. References: github issue snyk, snyk's postmortem, schneid, intrinsic, npm, jayden, hillel wayne's postmortem
- eslint - malicious packages found in npm package eslint-scope and eslint-config-eslint. References github issue, eslint tweet, eslint's postmortem, nodesource's postmortem, npm's statement
- getcookies - malicious package getcookies gets embedded in higher-level express related packages. References: GitHub issue, npm, bleepingcomputer.com, Snyk’s getcookies vulnerability page, Hacker News
- crossenv - malicious typosquatting package crossenv steals environment variables. References: CJ blog on typosquat packages, Typosquatting research paper, bleepingcomputer.com, Snyk’s crossenv vulnerability page, Hacker News
- bb-builder - malicious package targeting Windows systems to exfiltrate information and send to a remote service. References: Snyk, Reversing Labs, Bleeping Computer
Analysis of an Exploited NPM Package by Jarrod Overson​
Node’s npm carries over 210,000 packages from over 60,000 contributors. This wealth of open source functionality is awesome, but it also carries risk. You’re running a stranger’s code inside your applications. Do you know which packages you’re running? Do you know if their authors understand or care about security? Do you know if they have vulnerabilities?