Introduction
Hello, and welcome!
It's another Friday. Let's get down to business.
Most of the news that we'll review this week is about vulnerabilities and bugs.
Popular NPM Package Hijacked to Publish Crypto-mining Malware
As a developer, reading articles like this makes me think twice before downloading a package from NPM, but sometimes, you might need that package so bad, you'll forget about "security".
Excerpt from the article:
The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining and password-stealing malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to get rid of three rogue packages that were found to mimic the same library
Researcher Earns $2 Million for Critical Vulnerability in Polygon
Polygon was in the news some weeks back when some hacker breached their system and made away with millions of dollars worth of cryptocurrency, now, they take security "super serious".
Excerpt from the article:
Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million
Brutal WordPress plugin bug allows subscribers to wipe sites
It's as scary as the title itself.
Excerpt from the article:
The plugin in question, known as Hashthemes Demo Importer, is designed to help admins import demos for WordPress themes with a single, without dealing with installing any dependencies
The security bug would allow authenticated attackers to reset WordPress sites and delete almost all database content and uploaded media
Banking scam uses Docusign phish to thieve 2FA codes
Scammers always look for creative ways to steal your money, I mean, they are relentless.
Excerpt from the article:
The crooks simply sent them to everyone as a crude way of sending them to someone.
So most scams might be obvious to most people, but some scams are believable to some people, and, once in a while, “some people” might just include you!
Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API
Using a service for something other than its intended usage is sometimes not welcome.
Excerpt from the article:
According to Mozilla, a total of 455,000 users downloaded and installed the malicious add-ons before the browser maker was able to block the extensions
Furthermore, the organization paused approvals for add-ons relying on the proxy API to ensure that necessary fixes are available for all users first
All Windows versions impacted by new LPE zero-day vulnerability
The title says it all.
Excerpt from the article:
As this bug requires a threat actor to know a user name and password for another user, it will not be as heavily abused as other privilege elevation vulnerabilities we have seen recently, such as PrintNightmare
Malicious NPM Libraries Caught Installing Password Stealer and Ransomware
Say what? Not good.
Excerpt from the article:
The bogus packages — named "noblox.js-proxy" and "noblox.js-proxies" — were found to impersonate a library called "noblox.js," a Roblox game API wrapper available on NPM and boasts of nearly 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively
Support Me
Writing makes me thirsty. I'll appreciate a cup of coffee 😉.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday.