You too can run malware from NPM (I mean without consequences)
a day ago
- #phishing
- #npm
- #security
- Phishing NPM package authors continues with low stakes but high visibility.
- Compromised packages like 'is-arrayish' can override browser functions to redirect transactions.
- Example app demonstrates how a malicious package can alter transaction targets.
- LavaMoat can prevent malicious packages from accessing unauthorized globals or imports.
- Using @lavamoat/webpack isolates dependencies in separate lexical contexts for security.