Malicious npm Libraries Impersonate Legitimate Packages
/ 1 min read
🦠 Malicious Typosquats Target Popular npm Packages, Compromising Developer Security. Threat actors have been discovered uploading counterfeit versions of legitimate npm packages, such as typescript-eslint and @types/node, which have garnered thousands of downloads. These malicious packages, named @typescript_eslinter/eslint and types-node, are designed to install trojans and retrieve harmful payloads. Security experts emphasize the need for enhanced supply chain security and vigilance in monitoring third-party software, as these attacks exploit developers’ trust. Additionally, several rogue extensions were identified in the Visual Studio Code Marketplace, further highlighting the risks associated with open-source software. The findings underscore the importance of caution when downloading tools and libraries to prevent introducing malicious code into projects.
