430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The npm installer for PureScript package has been compromised

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript. The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code. Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its […]

French hospital

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – npm, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]