GitHub identifies multiple nasty security vulnerabilities

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

Cybersecurity researchers have identified just over half a dozen vulnerabilities in a couple of npm packages, which can be exploited by attackers to execute arbitrary code on systems that permit installation of untrusted npm packages.

The vulnerabilities were identified thanks to the initial reports by bug bounty hunters Robert Chen and Philip Papurt, who found security issues in the tar and @npmcli/arborist packages.

Further review of their reports led the GitHub security team to find a handful of other high-severity vulnerabilities in these cross-platform packages.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“When we learned of these vulnerabilities, we immediately started working on fixes and began scanning the npm registry for malicious packages that may have directly targeted the vulnerability that affected all npm CLI platforms,” shares GitHub’s Chief Security Officer Michael Hanley.

The scan completed early in August with the team failing to find any malicious packages that take advantage of the vulnerabilities.

Update your dependencies

Although exploitation of the issues through the npn CLI requires the installation of untrusted packages or processing untrusted tar archives, Hanley still urges developers to upgrade to the latest version of the affected utilities.

Developers with projects that depend on tar should ensure they upgrade their tar dependency versions to v4.4.19, v5.0.11, or v6.1.10, or newer. 

Similarly, for npm CLI, Hanley advises users to move to v6.14.15, v7.21.0, or newer, which  contain the fix. 

“If you rely on Node.js for your npm installation, please update to the latest version of Node.js. The latest releases of Node 12, 14, and 16 as of August 31, 2021 all contain patched versions of npm that prevent exploitation,” writes Hanley.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
A person&#039;s fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Holographic representation of cloud computing over open businessman&#039;s hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does