As a dependency to npm package with PureScript installer malicious code that appears when trying to install a package . Malicious code is embedded via dependencies ΠΈ . It is noteworthy that packages with these dependencies are maintained by the original author of the npm package with the PureScript installer, who until recently maintained this npm package, but about a month ago the package was moved to other maintainers.
The problem was discovered by one of the package's new maintainers, who was given maintenance rights after many disagreements and frustrating discussions with the original author of the purescript npm package. The new maintainers are responsible for the PureScript compiler and insisted that the NPM package with its installer should be maintained by the same maintainers and not by a third party. The author of the npm package disagreed with the PureScript installer for a long time, but then relented and transferred access to the repository. However, some dependencies remained under its control.
Last week PureScript compiler 0.13.2 was released and
the new maintainers prepared a corresponding update of the npm package with an installer, in the dependencies of which malicious code was detected. The ousted maintainer of the PureScript npm package installer claimed that his account was compromised by unknown attackers. However, in its current form, the actions of the malicious code were limited to sabotaging the installation of the package, which became the first version from the new maintainers. Malicious activity was limited to a loop with an error when trying to install a package with the command "npm i -g purescript" without performing obvious malicious activity.
Two attacks were identified. A few hours after the official release of the new version of the purescript npm package, someone created a new version of the load-from-cwd-or-npm 3.0.2. binary files returned a stream An that mirrors input requests as output values.
4 days later, after the developers figured out the source of the failures and were preparing to release an update to exclude load-from-cwd-or-npm from dependencies, the attackers released another load-from-cwd-or-npm 3.0.4 update, in which the malicious code was removed. However, another dependency update, rate-map 1.0.3, was released almost immediately, which added a fix to block the callback to load. Those. in both cases, the changes in the new versions of load-from-cwd-or-npm and rate-map were in the nature of an obvious sabotage. Moreover, there was a check in the malicious code that triggered the failing actions only when installing a release from new maintainers and did not manifest itself in any way when installing older versions.
The developers solved the problem by releasing an update in which the problematic dependencies were removed. In order to prevent the compromised code from settling on users' systems after trying to install the problematic version of PureScript, it is recommended to delete the contents of the node_modules directories and package-lock.json files, and then set the purescript version 0.13.2 as the lower limit.
Source: opennet.ru