image credit: Adobe Stock

Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware

July 5, 2023

The npm registry for the Node.js JavaScript runtime environment is susceptible to what’s called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.

“A npm package’s manifest is published independently from its tarball,” Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. “Manifests are never fully validated against the tarball’s contents.

Read More on The Hacker News