Three npm packages found opening shells on Linux, Windows systems
Found on ZD Net on Wednesday, 21 October 2020
According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.
"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm security team said.
In August, npm staff removed a malicious JavaScript library designed to steal sensitive files from an infected users' browser and Discord application.
In September, npm staff removed four JavaScript libraries for collecting user details and uploading the stolen data to a public GitHub page.
Lesson learned? Don't pull random junk into your system.