Cyber security Researchers have identified more than half a dozen weaknesses in one or two. NPM packages, Which can be used by attackers to enforce arbitrary code on systems that allow the installation of unreliable NPM packages.
Early reports from Big Bounty hunters Robert Chan and Philip Popport identified vulnerabilities that led to security concerns. Tar And pm npmcli / arborist Packages
After further reviewing their reports, the GutHub security team identified a handful of other high-risk threats in these cross-platform packages.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would appreciate it if you would share your experiences with us.
“When we learned of these vulnerabilities, we immediately started working on reforms and started scanning the NPM registry for malicious packages that directly targeted this threat.” Which affected all NPMCLI platforms. ” Shares Michael Hanley, Gut Hub’s chief security officer.
The scan was completed in early August when the team failed to find any harmful packages that exploited vulnerabilities.
Update your dependencies.
Although exploiting issues through NPNCLI requires the installation of unreliable packages or the processing of unreliable tar archives, Hanley still urges developers to upgrade to the latest version of the affected utility.
Developers with projects on which to rely. Tar Make sure they upgrade their tar-dependent version to v4.4.19, v5.0.11, or v6.1.10, or newer.
Similarly, for NPMCLI, Henley advises users to switch to v6.14.15, v7.21.0, or newer, which has a fix.
“If you rely on Node.js for your npm installation, please update to the latest version of Node.js. There are patched versions of which prevent exploitation.