Software development relies heavily on trust, especially when it comes to open source components. JavaScript developers recently got a reminder just how fragile the trust model is with the news that 39 malicious packages were removed from npm, the Node.js package management registry.

Between July 19 and July 31, an account named hacktask published a series of packages on npm with names that were similar to existing npm packages, wrote npm CTO CJ Silverio. Packages are used by developers to implement common functions without having to write the code from scratch. If developers aren’t careful and add the wrong packages as dependencies to their code, they wind up with malicious code in their applications. “The package naming was both deliberate and malicious—the intent was to collect useful data from tricked users,” Silverio said.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Malicious code in the Node.js npm registry shakes open source trust model