Your Web News in One Place

An Interest In:

Web News this Week

Search Archive

Some of Our Sources

View All Sources

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
December 16, 2019 03:13 pm

Npm Team Warns of New 'Binary Planting' Bug

The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.

Read more of this story at Slashdot.


Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5SiqjkVQ_Hw/npm-team-warns-of-new-binary-planting-bug

Share this article:    Share on Facebook
View Full Article

Slashdot

Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..

More About this Source Visit Slashdot