Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package

Catalin Cimpanu, reporting for BleepingComputer: The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular -- albeit deprecated -- JavaScript package. The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team -- which analyzed this package earlier today after reports from the npm community -- says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library.

If they didn't need frameworks...

[Viol8]

... then they'd be half decent coders and wouldn't be coding in babyscript, sorry, javascript. This language is where idiots and MBAs straight off an "Anyone can code!" course end up, writing Hello World style programs using half a dozen libraries to create a Hello factory and a World factory with another factory that joins factories which then creates a HelloWorld object that eventually outputs a string via some StringOutputter object.