From securityboulevard.com
There has been a sharp rise in malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide, with more than 1,300 malicious npm packages discovered for use in supply chain attacks, cryptojacking, data theft and more.
A recent report by WhiteSource, a provider of open source security and management solutions, showed that the most popular types of malicious packages were those performing reconnaissance, which consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.
Even as developers increasingly depend on JavaScript to create rich online functionality, the JavaScript ecosystem is under constant attack from malicious actors.
A popular attack method is through JavaScript packages installed using various node package managers, or npms, which are tools that automatically handle the dependencies of a project.
Because the npm ecosystem is open in nature, it allows anyone to submit packages—including bad actors who bundle backdoors or other malicious code in npms.
The report pointed out that the massive number of npm packages and the rate at which new ones are released makes the ecosystem difficult to monitor and creates a lucrative playground for attackers.