JFrog spots hidden npm hack #npm #vulnerability #cybersecurity #devops #devsecops #jfrog #sre #cloud This is a clip from our recent Ship It Weekly Podcast episode. Visit https://shipitweekly.fm or link in bio to listen to the full episode!
"JFrog found hijacked NPM packages using a clever execution path. The malicious versions were not relying on the usual NPM lifecycle scripts. Instead, the payload hid inside a VS Code task, specifically a hidden task configured with runOn folder open. So the trap is not just install the package and NPM runs code. The trap is open the project folder in VS Code, trust the workspace, and the IDE runs the task. Developers open folders all day, example projects, reproduction repos, proofs of concept, vendor samples, AI-generated apps, random repos from Slack or GitHub issues. And the editor is not passive, it runs extensions, it loads config, it starts language servers, it runs tasks, it reads environment, it can access terminals and local secrets. JFrog also found additional Go packages tied to the same malware pattern. Your editor is an execution environment now, so act like-"
💬 Discussion
JFrog spots hidden npm hack #npm #vulnerability #cybersecurity #devops #devsecops #jfrog #sre #cloud This is a clip from our recent Ship It Weekly Podcast episode. Visit https://shipitweekly.fm or link in bio to listen to the full episode!