The popular NPM registry of JavaScript packages was described as a playground for malicious actors by software scanning services provider WhiteSource Software, which has published a report of its vulnerability analysis of the registry.
The WhiteSource research report, released Februay 2, was based on data culled using the WhiteSource Diffend malware detection platform. WhiteSource said it has reported more than 1,300 malicious packages to NPM in the past six months. Malware subsequently removed by NPM was found to be stealing both credentials and cryptocurrency and running botnets, said WhiteSource. The company said that nearly 14% of the malicious packages detected were designed to steal sensitive information such as credentials present in environment variables. While attackers using malicious packages often do not target particular companies or entities, some packages were designed to target certain systems.