In this era of throwaway email addresses, that is not sufficient to prevent the human being behind it from trying again, but we felt it was a necessary gesture. Hacktask’s email address is banned from using npm. If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment. Our estimate is that there were at most 50 real installations of crossenv, probably fewer. But even in that case, most of the downloads come from mirrors requesting copies of the 16 versions of crossenv published. From this you can see that the real danger came from the crossenv package, which had nearly 700 downloads, with some secondary exposure from the jquery typosquats. Note that 30-40 downloads is typical for any public package published to the registry, from registry mirrors automatically downloading copies. The numbers from before exposure are more revealing of the effect of the malware. exposureįollowing is a list of hacktask’s packages, with a count of total downloads from 7/19 to 7/31.ĭownload counts for these packages are larger in the last two days because of public interest in the problem. He did not find any other instances of that specific file with those contents.
He has every file in the public registry indexed by content hash to make scans like this possible. This time, the package naming was both deliberate and malicious-the intent was to collect useful data from tricked users.Īll of hacktask’s packages have been removed from the npm registry.Īdam Baldwin of Lift Security also looked into this incident to see if there were any other packages, not owned by hacktask, with the same package setup code. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. In the past, it’s been mostly accidental. We refer to this practice as “typo-squatting”. On July 19 a user named hacktask published a number of packages with names very similar to some popular npm packages. Further investigation led us to remove about 40 packages in total. We investigated this report immediately and took action to remove the package. On August 1, a user notified us via Twitter that a package with a name very similar to the popular cross-env package was sending environment variables from its installation context out to.
0 kommentar(er)
