#nodejs

By Deeba Ahmed Ukraine Reports Multiple Cyberattacks on Critical Russian Government Infrastructure and Private Companies, Leading to Nationwide Disruption and Massive Data Loss. This is a post from HackRead.com Read the original post: Ukraine Claims Destruction of 280 Russian Servers, 2 Petabytes Lost

By Deeba Ahmed FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI),… This is a post from HackRead.com Read the original post: Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

### Summary In SvelteKit 2 sending a GET request with a body eg `{}` to a SvelteKit app in preview or with `adapter-node` throws `Request with GET/HEAD method cannot have body.` and crashes the app. ``` node:internal/deps/undici/undici:6066 throw new TypeError("Request with GET/HEAD method cannot have body."); ^ TypeError: Request with GET/HEAD method cannot have body. at new Request (node:internal/deps/undici/undici:6066:17) at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5) at file:///C:/Users/admin/Desktop/reproduction/node_module...

### Impact Since v1.3.0, we use our own Request object. This is great, but the `url` behavior is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. ```ts const req = new Request('http://localhost/static/../foo.txt') // Web-standards console.log(req.url) // http://localhost/foo.txt ``` However, the `url` in our Request does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. ```ts const req = new Request('http://localhost/static/../foo.txt') console.log(req.url) // http://localhost/static/../foo.txt ``` It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using `serveStatic`. Note: Modern web browsers and a latest `curl` command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them. ### Patches "v1...

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in [email protected], [email protected], [email protected], [email protected] ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm c...

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named "oscompatible," was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included a "few strange binaries," according to software supply chain security firm Phylum, including a single

By Waqas The DDoS attacks occurred on January 17, 2023, and NetBlocks, a global internet monitoring platform, has confirmed the network disruption. This is a post from HackRead.com Read the original post: Anonymous Sudan’s DDoS Attacks Disrupt Network at Israeli BAZAN Group

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.9, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints.