Security news weekly round-up - 29th October 2021

Habdul Hazeez - Oct 29 '21 - - Dev Community

Introduction

Hello, and welcome!

It's another Friday. Let's get down to business.

Most of the news that we'll review this week is about vulnerabilities and bugs.


Popular NPM Package Hijacked to Publish Crypto-mining Malware

As a developer, reading articles like this makes me think twice before downloading a package from NPM, but sometimes, you might need that package so bad, you'll forget about "security".

Excerpt from the article:

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining and password-stealing malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to get rid of three rogue packages that were found to mimic the same library

Researcher Earns $2 Million for Critical Vulnerability in Polygon

Polygon was in the news some weeks back when some hacker breached their system and made away with millions of dollars worth of cryptocurrency, now, they take security "super serious".

Excerpt from the article:

Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million

Brutal WordPress plugin bug allows subscribers to wipe sites

It's as scary as the title itself.

Excerpt from the article:

The plugin in question, known as Hashthemes Demo Importer, is designed to help admins import demos for WordPress themes with a single, without dealing with installing any dependencies

The security bug would allow authenticated attackers to reset WordPress sites and delete almost all database content and uploaded media

Banking scam uses Docusign phish to thieve 2FA codes

Scammers always look for creative ways to steal your money, I mean, they are relentless.

Excerpt from the article:

The crooks simply sent them to everyone as a crude way of sending them to someone.

So most scams might be obvious to most people, but some scams are believable to some people, and, once in a while, “some people” might just include you!

Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

Using a service for something other than its intended usage is sometimes not welcome.

Excerpt from the article:

According to Mozilla, a total of 455,000 users downloaded and installed the malicious add-ons before the browser maker was able to block the extensions

Furthermore, the organization paused approvals for add-ons relying on the proxy API to ensure that necessary fixes are available for all users first

All Windows versions impacted by new LPE zero-day vulnerability

The title says it all.

Excerpt from the article:

As this bug requires a threat actor to know a user name and password for another user, it will not be as heavily abused as other privilege elevation vulnerabilities we have seen recently, such as PrintNightmare

Malicious NPM Libraries Caught Installing Password Stealer and Ransomware

Say what? Not good.

Excerpt from the article:

The bogus packages — named "noblox.js-proxy" and "noblox.js-proxies" — were found to impersonate a library called "noblox.js," a Roblox game API wrapper available on NPM and boasts of nearly 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively

Support Me

Writing makes me thirsty. I'll appreciate a cup of coffee 😉.

Buy Me A Coffee

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .