Cybersecurity (opens in new tab) researchers have identified just over half a dozen vulnerabilities in a couple of npm packages (opens in new tab), which can be exploited by attackers to execute arbitrary code on systems that permit installation of untrusted npm packages.
The vulnerabilities were identified thanks to the initial reports by bug bounty hunters Robert Chen and Philip Papurt, who found security issues in the tar and @npmcli/arborist packages.
Further review of their reports led the GitHub security team to find a handful of other high-severity vulnerabilities in these cross-platform packages.
- Here’s our roundup of the best laptops for programming (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
- We’ve also compiled a list of the best ransomware protection tools (opens in new tab)
“When we learned of these vulnerabilities, we immediately started working on fixes and began scanning the npm registry for malicious packages that may have directly targeted the vulnerability that affected all npm CLI platforms,” shares GitHub’s Chief Security Officer Michael Hanley.
The scan completed early in August with the team failing to find any malicious packages that take advantage of the vulnerabilities.
Update your dependencies
Although exploitation of the issues through the npn CLI requires the installation of untrusted packages or processing untrusted tar archives, Hanley still urges developers to upgrade to the latest version of the affected utilities.
Developers with projects that depend on tar should ensure they upgrade their tar dependency versions to v4.4.19, v5.0.11, or v6.1.10, or newer.
Similarly, for npm CLI, Hanley advises users to move to v6.14.15, v7.21.0, or newer, which contain the fix.
“If you rely on Node.js for your npm installation, please update to the latest version of Node.js. The latest releases of Node 12, 14, and 16 as of August 31, 2021 all contain patched versions of npm that prevent exploitation,” writes Hanley.
- These are the best malware removal (opens in new tab) software on the market