This site may contain outdated or incomplete information.
NPM Package mathjs-min Contains Credential Stealer
A malicious actor modified the widely-used Javascript library mathjs and uploaded it to NPM as a “minified” version called mathjs-min, which contained a Discord token grabber. The actor created a burner account and copied the README from the genuine mathjs package to appear legitimate. The malicious code was added to an innocuously named commit and deeply embedded in the library’s files. This highlights the potential security risks of using open-source software, especially as attackers are evolving their tactics.
Impact
This incident highlights the evolving tactics of threat actors who are constantly looking for new ways to deceive developers. In this case, the attackers targeted the widely-used mathjs library, which has over 667K weekly downloads and over 1800 dependents.
The vulnerability affects all pearweb
versions prior to 1.32, which is
the repository for the source code that powers pear.php.net
Type of Compromise
This incident fits the Negligence definition.
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.