Sep 07 2021

Poisoned proxy PACs! The NPM package with a network-wide security hole

Category: Network securityDISC @ 9:24 am

Not long ago, independent software developer Tim Perry, creator of the HTTP Toolkit for intercepting and debugging web trafficā€¦

ā€¦decided to add proxy support to his product, which, like lots of software these days, is written using Node.js.

ICYMI, Node.js is the project that took the JavaScript language out of your browser and turned it into a full-blown application development system in its own right, a bit like Java (which is unrelated to JavaScript, by the way, for all that the names sound similar).

As well as the JavaScript core, which uses the V8 JavaScript engine from Googleā€™s Chromium project, Node.js sofware typically also relies on NPM, the Node package manager, and the NPM registry, a truly enormous repository of open-source Node tools and programming libraries.

The NPM registry runs from basic text formatting to full-on facial recognition, and almost everything in between.

Instead of writing all, of the code in your project yourself, or even most of it, you simply reference the add-on packages you want to use, and NPM will fetch them for you, along with any additional packages that your chosen package needsā€¦

ā€¦and all the packages that those packages need, following theĀ turtlesĀ packages all the way down until every piece of add-on code needed to complete the jigsaw has been located and installed automatically.

Poisoned proxy PACs! The NPM package with a network-wide security holeā€¦

Tags: security hole