Home

Awesome

<br/> <div align="center">

A curated list of awesome Node.js Security resources.

# # #

liran_tal

<br/> <hr/> <p> <a href="https://nodejs-security.com"> <img alt="Node.js Security" align="center" src="https://img.shields.io/badge/%F0%9F%A6%84-Learn%20Node.js%20Security%E2%86%92-gray.svg?colorA=5734F5&colorB=5734F5&style=flat" /> </a> </p>

Screenshot 2024-09-12 at 20 14 27

<p> Learn Node.js Secure Coding techniques and best practices from <a href="https://www.lirantal.com">Liran Tal</a> </p> </div> <br/>

Contents

Tools

Web Framework Hardening

GitHub Actions and CI/CD Security

Static Code Analysis

Dynamic Application Security Testing

Input Validation & Output Encoding

Secure Composition

CSRF

Vulnerabilities and Security Advisories

Security Hardening

Data Sources

Security Incidents

Protestware supply chain security issues

The following is a list of known protestware spanning across other ecosystems too:

Articles covering the topics around protestware are:

npm and JavaScript specific security incidents and supply chain security issues

Collection of security incidents that happened in the Node.js, JavaScript and npm related communities with supporting articles:

DateNameReference Links
2024 Dec 20@rspack/core and @rspack/cli at 400k weekly downloads were compromised due to npm token theft and used to publish malicious packages for monero cryptocurrency miningrspack release notes, sonatype, Socket
2024 Dec 11Malicious npm Package @typescript-eslint/eslint-plugin exfiltrates data in typosquatting attackSocket
2024 Dec 3Supply Chain Attack Detected in Solana's web3.js Library @solana/web3.jsSocket
2024 Nov 12"node-request-ip", "request-ip-check" and "request-ip-validator" are fake IP checker utilities on npm target cryptocurrency and install trojanssonatype
2024 Oct 31Lottie Player npm package compromised for crypto wallet theftSnyk
2024 Oct 31Typosquat campaign targeting Puppeteer, Bignum.js, and some 137 other cryptocurrency librariesPhylum
2024 Oct 28Dependency confusion campaign used in an npm supply chain security leveraged to breach Fortune 500 companyhttps://www.landh.tech/blog/20241028-hidden-supply-chain-links/
2024 Oct 4lodasher, them4on, laodasher counterfeit npm packages aimed to backdoor Windows users with a modified AnyDesk binarySonatype
2024 Jul 16string-width-cjs and other Suspicious Maintainer Unveils Threads of npm Supply Chain AttackSnyk
2024 Jul 11noblox-ts starjacking and QuasarRAT on npmstacklok
2024 Jun 17ua-parser-js switches to AGPL+commercial in "rug pull" moveAdventures in Nodeland
2024 Jun 11cors-parser npm package hides cross-platform backdoor in PNG filesSonatype
2024 Jun 03npm regsitry cache poisoning attacklandh.tech
2024 Apr 26Fake job interviews target developers with new Python backdoorBleeping Computer
2024 Apr 16Tea tokens and developers abusing OSS infrastructure for monetizationSonatype
2024 Feb 6noblox.js-proxy-server malicious npm Package Masquerades as Noblox.js, Targeting Roblox Users for Data TheftSocket
2024 Jan 25npm flooded with 748 packages that store moviesSonatype
2024 Jan 3An everything package with a registry-wide dependencies prevents from packages to be unpublishedSC Media
2023 Dec 14Ledger supply chain security attack introducing crypto drainer malware (@ledgerhq/connect-kit)Sonatype, Tweets 1 2 3 4 5 6 7 8
2023 Sep 27Spoofed Dependabot commits steal GitHub tokens and inject malware to JavaScript filesCheckmarx
2023 Jun 27Manifest Confusion - a new publicly disclosed bug with the npm package manager demonstrating package metadata inconsistencyDarcy Clarke's blog
2023 Jun 23North Korean attackers exploit social engineering and supply chain attacks on npmPhylum
2023 Jun 15Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries for bignum npm packageThe Hacker News, Checkmarx
2023 Jun 06Recommended packages by ChatGPT may be exploited for supply chain security attack vectorVulcan
2023 Feb 16Researchers Hijack Popular NPM Package with Millions of DownloadsIllustria on The Hacker News
2023 Feb 10Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages, affiliated npm ecosystem evidence tooThe Hacker News
2023 Jan 29Phylum Identifies 137 Malicious npm Packagesphylum
2022 Nov 29Invisible npm malware may hide in crafted versions and bypass npm audit's security checksJFrog
2022 Nov 24Phylum team captures captures malicious npm package imagecompress-mini claims to be an image compress toolLouisw Lang on Twitter
2022 Oct 12Aqua security discovers flaw in npm that allows disclosing of privately hosted npm packages on the registryAqua
2022 Oct 07LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card DataTheHackerNews
2022 Sep 23Popular Cryptocurrency Exchange dYdX Has Had Its NPM Account HackedMend
2022 Jul 29malicious packages small-sm, pern-valids, lifeculer, and proc-title target stealing credit card information and discord tokensdarkreading
2022 May 26stolen oAuth GitHub tokens lead to npm security breach, compromised user accounts metadata, private packages, and plain-text passwords in logsGitHub
2022 May 24malicious npm packages exploiting dependency confusion attacksSnyk, Snyk
2022 May 23npm packages hijacked due to expired domainsTheRegister
2022 Apr 05New npm Flaws Let Attackers Better Target Packages for Account TakeoverAqua
2022 Apr 26npm package plantingAqua, The Hacker News
2022 Mar 31More protestware from styled-componentsCheckmarx Security blog
2022 Mar 18More protestware from es5-ext and event-source-pollyfillSnyk advisory for event-source-pollyfill, es5-ext commit, ArsTechnica
2022 March 16peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of UkraineSnyk blog, Darkreading, SC Magazine
2022 Mar 7Malicious packages caught exfiltrating data via legit webhook servicesCheckmarx Security blog
2022 Feb 2225 Malicious JavaScript Libraries due to typosquatting attacksTheHackerNews
2022 Feb 112,818 npm accounts use email addresses with expired domainsTheRecord
2021 Dec 0817 JavaScript libraries contained malicious code to collect and steal Discord access tokens and environment variables from users’ computers -TheRecord
2021 December 01The Bladabindi trojan and RAT malwareSonatype
2021 November 04coa and rc packages - Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the worldBleepingcomputer, the record, npm tweet, npm tweet for rc.
2021 October 27noblox.js-proxy and noblox.js - typosquatted npm package that target users of official roblox API and SDK npm package (noblox.js)the register
2021 October 22ua-parser-js - Versions of a popular NPM package named ua-parser-js was found to contain malicious codeCybersecurity and Infrastructure Security Agency (CISA), github issue, IOCs, portswigger, theregister
2021 September 02pac-resolver - can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP requestarstechnica.com
2021 August 07npm package ownership process firing back and exposing potential vectors for supply chain security risks.Twitter
2021 April 13New Linux, macOS malware hidden in fake Browserify NPM package: web-browserifyBleepingcomputer.
2020 December 02jdb.js - db-json.js - malicious npm packages caught installing remote access trojans.zdnet.com, Bleepingcomputer.
2020 November 09discord malicious npm package - Npm package caught stealing sensitive Discord and browser filessonatype, zdnet.
2020 November 03twilio-npm - malicious npm package opens backdoors on programmers' computers.zdnet
2020 August 29fallguys - malicious package stealing sensitive files.zdnet
2020 April 27is-promise - one-liner library breaks an ecosystem.Forbes Lindesay - Maintainer post-mortem, snyk's postmortem
2019 August 22bb-builder - malicious package targeting Windows systems to exfiltrate information and send to a remote service.Snyk, Reversing Labs, Bleeping Computer
2019 June 05EasyDEX-GUI - malicious code found in npm package event-stream.npm, snyk, komodo announcement
2018 November 27event-stream - malicious code found in npm package event-stream.github issue snyk, snyk's postmortem, schneid, intrinsic, npm, jayden, hillel wayne's postmortem
2018 July 12eslint - malicious packages found in npm package eslint-scope and eslint-config-eslint.github issue, eslint tweet, eslint's postmortem, nodesource's postmortem, npm's statement
2018 May 02getcookies - malicious package getcookies gets embedded in higher-level express related packages.GitHub issue, npm, bleepingcomputer.com, Snyk’s getcookies vulnerability page, Hacker News
2018 Feb 13maintainer account with access to conventional-changelog npm package compromised and published malware for 1 day and 11 hoursconventional-changelog repository update
2017 August 02crossenv - malicious typosquatting package crossenv steals environment variables.CJ blog on typosquat packages, Typosquatting research paper, bleepingcomputer.com, Snyk’s crossenv vulnerability page, Hacker News
2016 March 22left-pad - how one developer broke Node, Babel and thousands of projects in 11 lines of JavaScript.left-pad.io, The Register, qurtaz.

Follow-up notes:

Educational

Newsletters

Articles

Research Papers

Books

Roadmaps

Companies

Hacking Playground

Contributing

Found an awesome project, package, article, other type of resources related to Node.js Security? Send me a pull request! Just follow the guidelines. Thank you!


say hi on Twitter

License

CC0