Zowukira zidalembedwa kwa ogwiritsa ntchito chikwatu cha NPM, chifukwa chake pa February 20, mapaketi opitilira 15 adayikidwa munkhokwe ya NPM, mafayilo a README omwe anali ndi maulalo kumasamba achinyengo kapena maulalo otumizirana mauthenga kuti adutse zomwe amalipira. amalipidwa. Pakuwunika, maulalo apadera a 190 ophikira kapena otsatsa adadziwika m'maphukusi, okhudza madera 31.
Mayina a phukusi adasankhidwa kuti akope chidwi cha anthu wamba, mwachitsanzo, "otsatira-free-tiktok-otsatira", "free-xbox-codes", "instagram-otsatira-free", ndi zina zotero. Kuwerengera kudapangidwa kuti mudzaze mndandanda wazosintha zaposachedwa patsamba lalikulu la NPM ndi mapaketi a spam. Mafotokozedwe a mapaketiwa akuphatikiza maulalo omwe adalonjeza zopatsa zaulere, mphatso, chinyengo chamasewera, komanso ntchito zaulere zochulukira otsatira komanso zokonda pamasamba ochezera monga TikTok ndi Instagram. Aka si koyamba kuukira kotereku; mu Disembala, kusindikizidwa kwa mapaketi okwana 144 adalembedwa m'ndandanda wa NuGet, NPM ndi PyPi.
Zomwe zili m'maphukusiwo zidangopangidwa zokha pogwiritsa ntchito python script yomwe mwachiwonekere idasiyidwa mosadziwa m'maphukusi ndikuphatikiza zidziwitso zantchito zomwe zidagwiritsidwa ntchito pakuwukira. Maphukusiwo adasindikizidwa pansi pa maakaunti osiyanasiyana pogwiritsa ntchito njira zomwe zidapangitsa kuti zikhale zovuta kumasula njirayo ndikuzindikira mwachangu phukusi lomwe lili ndi zovuta.
Kuphatikiza pazachinyengo, zoyesayesa zingapo zofalitsa mapaketi oyipa zidapezekanso m'nkhokwe za NPM ndi PyPi:
- 451 phukusi njiru anapezeka PyPI chosungira, amene anadzibisa okha monga ena malaibulale otchuka ntchito typequatting (kugawa mayina ofanana amene amasiyana zilembo payekha, mwachitsanzo, vper m'malo vyper, bitcoinnlib m'malo bitcoinlib, ccryptofeed m'malo cryptofeed, ccxtt m'malo mwa ccxt, cryptocommpare m'malo mwa cryptocompare, selenium m'malo mwa selenium, pinstaller m'malo mwa pyinstaller, ndi zina). Maphukusiwo anali ndi code yobisika yakuba cryptocurrency, yomwe idazindikira kukhalapo kwa zizindikiritso za crypto wallet mu clipboard ndikuzisintha kukhala chikwama cha wowukirayo (zimaganiziridwa kuti popereka malipiro, wozunzidwayo sadzazindikira kuti nambala yachikwama idasamutsidwa kudzera pa clipboard. ndi zosiyana). Kulowetsedwaku kudachitika ndi chowonjezera chamsakatuli chomwe chidachitika pamasamba aliwonse omwe adawonedwa.
- Mndandanda wamalaibulale oyipa a HTTP adziwika munkhokwe ya PyPI. Zochita zoyipa zidapezeka m'maphukusi 41, omwe mayina ake adasankhidwa pogwiritsa ntchito njira za typequatting ndikufanana ndi malaibulale otchuka (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.). Zoyikapo zidapangidwa kuti zifanane ndi malaibulale a HTTP omwe akugwira ntchito kapena kukopera zilembo zamalaibulale omwe analipo kale, ndipo malongosoledwewo adaphatikizanso zonena zaubwino ndi kufananitsa ndi malaibulale ovomerezeka a HTTP. Zoyipa zake zinali kutsitsa pulogalamu yaumbanda pakompyuta kapena kutolera ndi kutumiza zidziwitso zachinsinsi.
- NPM inazindikira 16 JavaScript phukusi (speedte *, trova *, lagra), amene, kuwonjezera pa ntchito ananena (kudzera kuyezetsa), munalinso malamulo migodi cryptocurrency popanda wosuta kudziwa.
- NPM idazindikira mapaketi oyipa 691. Maphukusi ambiri ovuta amadziwonetsera ngati ma projekiti a Yandex (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, etc.) ndipo adaphatikizapo code yotumiza zinsinsi kwa ma seva akunja. Zikuganiziridwa kuti omwe adayika phukusili akuyesera kuti akwaniritse kudalira kwawo posonkhanitsa ma projekiti ku Yandex (njira yolowa m'malo mwa kudalira kwamkati). M'malo a PyPI, ofufuza omwewo adapeza mapaketi a 49 (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, etc.) okhala ndi code yoyipa yoyipa yomwe imatsitsa ndikuyendetsa fayilo yomwe ingathe kuchitika kuchokera pa seva yakunja.
Source: opennet.ru