JavaScript
Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups
A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups …
Flood of malicious packages results in NPM registry DoS
Attackers are exploiting the good reputation and “openness” of the popular public JavaScript software registry NPM to deliver malware and scams, but are also …
Critical vm2 sandbox escape flaw uncovered, patch ASAP! (CVE-2022-36067)
Oxeye researchers discovered a severe vm2 vulnerability (CVE-2022-36067) that has received the maximum CVSS score of 10.0. Called SandBreak, this new vulnerability requires …
LogoKit update: The phishing kit leveraging open redirect vulnerabilities
Resecurity identified threat actors leveraging open redirect vulnerabilities in online services and apps to bypass spam filters to ultimately deliver phishing content. Using …
New npm flaws let attackers better target packages for account takeover
In this video for Help Net Security, Yakir Kadkoda, Lead Security Researcher, and Assaf Morag, Lead Data Analyst at Aqua Security, talk about new npm flaws that allow …
JavaScript security: The importance of prioritizing the client side
In this interview with Help Net Security, Vitaliy Lim, CTO at Feroot, talks about the most common JavaScript threats, the devastating impact of malicious or vulnerable code, …
Take a walk on the client side: The importance of front-end JavaScript security assessments
As e-skimming, Magecart, and other types of front-end attacks grow in frequency and severity, businesses are faced with finding ways to protect the front-end (i.e., client …
How threat actors are using npm to launch attacks
WhiteSource released a threat report based on malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide. The report is based on …
GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts
GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. About the fixed …
Trojan Source bugs may lead to extensive supply-chain attacks on source code
Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, …
Popular npm package hijacked, modified to deliver cryptominers
Several versions of the npm package for UA-parser.js, a widely used JavaScript library, have been modified to include malicious code and have been made available for download. …
Skyflow Fintech Privacy Vault accelerates product development for software teams
Skyflow announced a new zero trust data privacy vault that allows software teams to build and ship next-generation financial apps and systems faster. The new Fintech Privacy …