Major stories this week include some active supply chain security campaigns on npm:

Lottie Player npm package compromised for crypto wallet theft - Downgrade to 2.0.4 or upgrade to 2.0.8 versions of @lottiefiles/lottie-player to remediate the vulnerability. Make sure to test if you are affected

Halloween eve sees typosquatting campaign - Malicious packages targeting Puppeteer, Bignum.js, and some 137 other cryptocurrency libraries.

npm supply chain security leveraged to breach Fortune 500 company - A security team ran a campaign to demonstrate their tool following the finding of bad practices of dependencies usage and ended up with a ping from an internal server originating from a Fortune 500 company. Super interesting deep-dive and shows the real-world impact on development teams.

Sonatype disclosed counterfeit npm packages - On Oct 4th 2024 disclosed lodasher, them4on, laodasher counterfeit npm packages aimed to backdoor Windows users with a modified AnyDesk binary.

Headlines

Fancy an Argument Injection lab? - I contributed a new lab to the official OpenSSF secure coding educational resource for developers. Go check it out and learn about command injection in Node.js apps. (Of course, if you want the deep-dive check out my Node.js Secure Coding books series).

Attacking the Node.js runtime with Path Traversal - How about a more offensive side of security? Check out a Node.js path traversal vulnerability scanner that is open-source and spawns fuzz testing URLs to expose mishandled file paths in Node.js based web servers.

node-version-audit - Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates.

​ Node.js receives a Security Audit - The OpenJS Foundation has secured funds to sponsor a fuzz-test security audit on the Node.js code-base, resulting in updates and fixes to the OSS-Fuzz project in support for Node.js related code. Here is the juicy report details.

The Human Dependency Graph - This write-up offers a different perspective to think about third-party npm dependencies (and in other language ecosystems). Specifically, I like the points made about vetting maintainers of packages (considering them as humans in your dependency chain, rather than strangers). Bekah Weigel and Jordan Harband draw some insights which even if you don’t fully agree with, this is worth a read.

📦 On npm

npm packages:

• plop - The modern yeoman generator, plop aims to be a modern alternative for helpful project scaffolding.
• response-time - Response time header for Node.js web applications, often used with Express as middleware.

❗ New Security Vulnerabilities

• dompurify found vulnerable to CVE-2024-48910 Prototype Pollution, 31 Oct 2024
• lilconfig found vulnerable to CVE-2024-21537 Arbitrary Code Execution, 30 Oct 2024
• langchain found vulnerable to CVE-2024-7042 SQL Injection, 29 Oct 2024

🧠 Can you find the security vulnerability here?

💼 Hiring

• Bun hiring for Developer Experience Engineer in San Francisco, United States 🇺🇸
• Vercel hiring for Developer Experience Engineer in Remote, United States 🇺🇸
• NearForm hiring for Senior Developer in Remote, Italy 🇮🇹
• Contentful hiring for Senior Software Engineer - TypeScript and Node.js in Denver, United States 🇺🇸
• Fireflies.ai hiring for Full stack Engineer in India 🇮🇳, Turkey 🇹🇷, Singapore 🇸🇬