M'malo a NPM zochita zoipa m'maphukusi anayi, kuphatikizapo preinstall script, yomwe, musanayike phukusi, inatumiza ndemanga ku GitHub ndi chidziwitso cha adilesi ya IP ya wosuta, malo, malowedwe, chitsanzo cha CPU, ndi zolemba zanyumba. Khodi yoyipa idapezeka m'matumba (255 kutsitsa), (78 kutsitsa), (48 kutsitsa) ndi (37 zotsitsa).
Maphukusi amavuto adatumizidwa ku NPM kuyambira Ogasiti 17 mpaka Ogasiti 24 kuti agawidwe ntchito ,ndi. ndi kupatsidwa kwa mayina ofanana ndi mayina a malaibulale ena otchuka ndi kuyembekezera kuti wogwiritsa ntchitoyo apanga typo pamene akulemba dzinalo kapena sadzawona kusiyana kwake posankha gawo kuchokera pamndandanda. Potengera kuchuluka kwa zotsitsa, ogwiritsa ntchito pafupifupi 400 adagwa chifukwa cha chinyengo ichi, ambiri omwe adasokoneza ma electorn ndi ma elekitironi. Panopa ma electorn ndi loadyaml phukusi ndi oyang'anira a NPM, ndipo mapaketi a lodash ndi loadyml adachotsedwa ndi wolemba.
Zolinga za omwe akuwukirawo sizikudziwika, koma zikuganiziridwa kuti chidziwitsocho chikudumphira kudzera mu GitHub (ndemangayo idatumizidwa kudzera mu Nkhani ndipo idachotsedwa mkati mwa maola XNUMX) zikadachitika pakuyesa kuyesa njirayo, kapena kuwukira kudakonzedwa m'magawo angapo, poyambira pomwe deta ya ozunzidwayo idasonkhanitsidwa, ndipo chachiwiri, chomwe sichinachitike chifukwa chotsekereza, owukirawo adafuna kutulutsa zosintha zomwe zingaphatikizepo code yoyipa kwambiri kapena backdoor. kumasulidwa kwatsopano.
Source: opennet.ru