Compromised NPM Packages, Malware, and GitHub - Blog

1.0Blog | GitProtect.iohttps://gitprotect.io/blogTomasz Lisowskihttps://gitprotect.io/blog/author/tomasz-lisowski/Compromised NPM Packages, Malware, and GitHub - Blog | GitProtect.iorich600338<blockquote class="wp-embedded-content" data-secret="rFzStjB8dT"><a href="https://gitprotect.io/blog/compromised-npm-packages-malware-and-github/">Compromised NPM Packages, Malware, and GitHub</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://gitprotect.io/blog/compromised-npm-packages-malware-and-github/embed/#?secret=rFzStjB8dT" width="600" height="338" title="“Compromised NPM Packages, Malware, and GitHub” — Blog | GitProtect.io" data-secret="rFzStjB8dT" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script type="text/javascript"> /* <![CDATA[ */ /*! This file is auto-generated */ !function(d,l){"use strict";l.querySelector&&d.addEventListener&&"undefined"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),o=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),c=new RegExp("^https?:$","i"),i=0;i<o.length;i++)o[i].style.display="none";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute("style"),"height"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):"link"===t.message&&(r=new URL(s.getAttribute("src")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",function(){for(var e,t,s=l.querySelectorAll("iframe.wp-embedded-content"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute("data-secret"))||(t=Math.random().toString(36).substring(2,12),e.src+="#?secret="+t,e.setAttribute("data-secret",t)),e.contentWindow.postMessage({message:"ready",secret:t},"*")},!1)))}(window,document); /* ]]> */ </script> https://gitprotect.io/blog/wp-content/uploads/2022/04/npm-post.png1200600Security professionals always have a lot of work to do. You may even get the impression that the number of things that have to be done grows more and more with time. Especially now, when in recent years the popularity of solutions based on external, dynamically loaded dependencies, such as entire libraries or individual functions, has grown. The popularity of NPM packages is also of great importance here. Currently, when creating an IT system, we are rarely entirely its authors, so we do not always have 100% control. External scripts may quite easily execute any malware.