covering the week's top tech stories
with a slight linux bias three
javascript packages have been removed
from the npm portal for containing
malicious code
according to advisories from the mpm
security team
the three javascript libraries open
shells on the computers of developers
who imported the packages into their
projects
the shells allow threat actors to
connect remotely to the infected
computer
and execute malicious operations the npm
security
team said that the shells don't depend
on a particular operating system
and could be used to compromise windows
linux freebsd
openbsd and other systems
all three packages were uploaded to the
npm
portal in 2018 and each had hundreds of
downloads since then
the package's names are plutovs dash
slack dash
client nodetest199 and nodetest1010
npm security team said any computer that
is
that has this package installed or
running should be considered fully
compromised
all secrets and keys stored on that
computer should be rotated immediately
from a different computer they warn
the package should be removed but as
full control of the computer may have
been given to an outside entity
there is no guarantee that removing the
package will remove all malicious
software
resulting from installing it mpm
security staff regularly scans its
collection of javascript libraries
considered the largest package
repository for any programming language
thanks for watching the category 5 tv
newsroom
don't forget to like and subscribe for
all your tech news with a slight linux
bias
and if you appreciate what we do become
a patron at patreon.com
category 5. from the category 5 dot tv
newsroom i'm becca ferguson
[Music]
you