Npm team warns of new 'binary planting' bug

guest · Dec 13, 2019

Npm team warns of new 'binary planting' bug
Npm bug lets booby-trapped npm (JavaScript) packages plant or alter binaries on the victim's system
December 13, 2019
https://www.zdnet.com/article/npm-team-warns-of-new-binary-planting-bug/

The team behind npm, the biggest package manager for JavaScript libraries, has issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks.

The bug can be exploited by attackers to plant malicious binaries or overwrite legitimate apps on a user's computer. What files can be written/planted is at the attacker's whim, depending on what they're trying to achieve.
The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI.

"However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository.
NPM'S IMPORTANCE IN THE JS ECOSYSTEM
However, the issue impacts npm users more than yarn. Npm is not only the biggest package management application for JavaScript, but it's also the biggest package repository for any programming language, with more than 350,000 libraries.
Click to expand...

An in-depth technical report: binary planting and arbitrary file (over)write vulnerabilities in npm, pnpm and yarn

Log in or Sign up

Npm team warns of new 'binary planting' bug

guest Guest

Log in or Sign up

Npm team warns of new 'binary planting' bug

guest Guest

Useful Searches