#npm

#npm

A new version of the Shai-Hulud credentials-stealing self-propagating worm is expanding through the open npm registry, a threat that developers who download packages from the repository have to deal with immediately. Researchers at Wiz Inc. said Monday that in the early stages of the campaign late last week,a thousand new GitHub repositories containing harvested victim data were being added every 30 minutes. And researchers at JFrog identified 181 compromised packages.

The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual - It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods.

npm has taken down all versions of the real Stylus library and replaced them with a 'security holding' page, breaking pipelines and builds worldwide that rely on the package.

Deno 1.42 includes major updates for Node.js and NPM compatibility, enhancing modules such as async_hooks, crypto, and worker_threads for improved performance.

The Dockerfile demonstrates a streamlined setup for a Node.js application, starting from the lightweight Node.js 23-alpine image and ensuring the latest npm is installed.