前端圈突发!AntV、VS Code 插件同时被投毒!

今年不到半年时间,npm已经连续爆出多起重量级供应链攻击。 前段时间 axios被投毒, 随后 TanStack大面积污染, 而就在昨天,又连续爆出两起重量级供应链攻击: 大量 @antv相关 npm 包被植入恶意代码,涉及数百个包、数百个恶意版本。 恶意代码就会自动运行。 它还会尝试利用窃取到的 npm / GitHub权限继续传播恶意包。 是否存在最近升级的 AntV 相关异常版本。 相关访问 ...
IT News For Australia Business

'Protestware' npm package dependency labelled supply-chain attack

Russia's invasion of Ukraine has spilt over into developer-space, with a well-known npm maintainer adding "protestware" as a dependency to a very popular package. Security vendor Snyk is tracking what ...
Morning Overview on MSN

A new malicious npm package just got caught yanking files from users’ local disks — the ...

A malicious npm package tied to a campaign some observers have called “Malware-Slop” has been detected copying files from ...
CSOonline

Developer sabotages own npm module prompting open-source supply chain security questions

The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity. The developer of a popular JavaScript ...
Dark Reading

Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. After further investigation, analysts with ...