GitHub identifies multiple nasty security vulnerabilities

All vulnerabilities have apparently now been patched

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have identified just over half a dozen vulnerabilities in a couple ofnpm packages, which can be exploited by attackers to execute arbitrary code on systems that permit installation of untrusted npm packages.

The vulnerabilities were identified thanks to the initial reports by bug bounty hunters Robert Chen and Philip Papurt, who found security issues in thetarand@npmcli/arboristpackages.

Further review of their reports led the GitHub security team to find a handful of other high-severity vulnerabilities in these cross-platform packages.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“When we learned of these vulnerabilities, we immediately started working on fixes and began scanning the npm registry for malicious packages that may have directly targeted the vulnerability that affected all npm CLI platforms,”sharesGitHub’s Chief Security Officer Michael Hanley.

The scan completed early in August with the team failing to find any malicious packages that take advantage of the vulnerabilities.

Update your dependencies

Although exploitation of the issues through the npn CLI requires the installation of untrusted packages or processing untrusted tar archives, Hanley still urges developers to upgrade to the latest version of the affected utilities.

Developers with projects that depend ontarshould ensure they upgrade their tar dependency versions to v4.4.19, v5.0.11, or v6.1.10, or newer.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Similarly, for npm CLI, Hanley advises users to move to v6.14.15, v7.21.0, or newer, which  contain the fix.

“If you rely on Node.js for your npm installation, please update to the latest version of Node.js. The latest releases of Node 12, 14, and 16 as of August 31, 2021 all contain patched versions of npm that prevent exploitation,” writes Hanley.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Google Gemini is set to finally reach its full potential – and take over from Google Assistant – thanks to a major upgrade