The security team in charge of the ‘npm’ repository used for JavaScript libraries has removed two of the npm packages on Monday after they were found to contain malicious code that installed a remote access trojan (RAT) onto computers of developers who were working on JavaScript projects.
The names of the packages were jdb.js and db-json.js, and they were both created by the same author. The packages were described as tools which help developers work with JSON files generated by database applications. The packages were uploaded to the npm package registry last week and were downloaded over 100 times before their flaws were detected by Sonatype.
