CySecurity News – Latest Information Security and Hacking Incidents
Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices.
However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.
“This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files,” Paul Gerste, a researcher at SonarSource explained. “But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?”
Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications.
Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –
• Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yar
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: