All news with #dependency management tag

🔒 Modern vulnerability management must go beyond scanning version numbers to encompass download policies, AI guardrails, and build-pipeline controls. Organizations should adopt a trusted internal artifact registry, rigorous component screening, and dependency pinning to reduce supply-chain and malicious-package risks. Complement these controls with enriched vulnerability intelligence, SCA, and developer training. Systematic handling of EOL or abandoned components — via migration, LTS, or compensatory controls — completes the approach.

🔐 The npm ecosystem has shifted from simple typosquatting to coordinated, credential-driven supply‑chain intrusions that target maintainers, CI pipelines, and trusted automation. Attackers now compromise legitimate packages via stolen tokens and publish trojanized updates that quietly propagate to millions of downstream projects. Detection increasingly requires runtime and anomaly analysis rather than static scanning, while mitigations focus on treating CI runners as production assets, aggressively rotating and scoping publish tokens, disabling unnecessary lifecycle scripts, and pinning dependencies to immutable versions.

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.

🛡️ Sonatype reports that 13% of Log4j downloads in 2025 — roughly 40 million of 300 million Maven Central downloads analyzed — remain vulnerable to the CVSS 10.0 Log4Shell flaw first disclosed four years ago. The vendor describes this as corrosive risk, where fixes exist but unsafe versions continue to spread because consumers don’t upgrade or transitive dependencies reintroduce bad releases. Sonatype highlights noisy SCA alerts, set-and-forget dependencies and poor selection criteria as root causes. It urges using SCA and artifact repositories to map exposure, automating upgrade PRs, enforcing repository guardrails and adopting new metrics to reduce unnecessary risk.

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

📦 Researchers warn a large-scale spam campaign has flooded the npm registry with over 46,000 fake packages since early 2024, a coordinated, long-lived effort dubbed IndonesianFoods. The packages harbor a dormant worm in a single JavaScript file that only runs if a user manually executes commands like node auto.js, enabling automated self-publishing of thousands of junk packages. The campaign appears designed to waste registry resources, pollute search results, and possibly monetize via the Tea protocol; GitHub says it has removed the offending packages.

⚠️ AI-enabled supply chain attacks have surged in scale and sophistication, with malicious package uploads to open-source repositories rising 156% year-over-year and real incidents — from PyPI trojans to compromises of Hugging Face, GitHub and npm — already impacting production environments. These threats are polymorphic, context-aware, semantically camouflaged and temporally evasive, rendering signature-based tools increasingly ineffective. CISOs should prioritize AI-aware detection, behavioral provenance, runtime containment and strict contributor verification immediately to reduce exposure and satisfy emerging regulatory obligations such as the EU AI Act.

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.

⚠️ Socket has identified nine malicious NuGet packages published in 2023–2024 by the account "shanhai666" that contain time‑delayed logic bombs intended to sabotage database operations and industrial control systems. The most dangerous, Sharp7Extend, bundles the legitimate Sharp7 PLC library and uses C# extension methods plus an encrypted configuration to trigger probabilistic process terminations (≈20%) and silent PLC write failures (≈80% after 30–90 minutes). Several SQL-related packages are set to activate on staged dates in August 2027 and November 2028, and the packages were collectively downloaded 9,488 times. All nine malicious packages have been removed from NuGet; attribution remains uncertain.

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.