All Open-Sourced Code Should Be Reviewed

Three JavaScript packages were removed from the npm portal last week for malicious code. Just another reason all open-source code should be reviewed prior to deployment.

We’ve been warned about this for years. Open-sourced code is a beautiful thing because it allows for coders, developers and engineers to build off of each other’s work. It makes those jobs easier by providing a codebase for common projects, and is a place where industry experts can look for a specific code to fix a problem in business-specific projects. But it’s also a place where bad actors can say they’ve got a fix for something, which they might, but they also throw in a malicious string of malware. Last week, three JavaScript packages were removed from the npm portal due to malware embedded in the code, showing why all open-sourced code needs to be reviewed.

The three packages ( plutov-slack-client, Nodetest199, nodetest1010) opened shells on machines of developers who imported them into projects. The shells allowed bad actors to remotely connect to those machines and perform nefarious activities. These packages can function on Windows and *nix operating systems like Linux, and have been live for over a year, resulting in hundreds of downloads. From ZDnet:

***Click here for full text***

Originally published at https://www.pwvconsultants.com on October 20, 2020.