How Two Malicious NPM Packages Targeted & Sabotaged Others.

An attacker allegedly gained access to an npm user account and published modules that broke dependents. But why?

Image for post
Image for post
https://twitter.com/shinnn_tw/status/1149778273024520197

Background

Timeline

Attack details

load-from-cwd-or-npm

purescript-installer
└─┬ dl-tar
└─┬ load-request-from-cwd-or-npm
└── load-from-cwd-or-npm <<<<<<< compromised package

rate-map

So what happened?

Why it matters.

Image for post
Image for post
Image for post
Image for post
rate-map version list with the missing 1.0.3 version

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store