Backdoor sneaked into fake AWS package was downloaded hundreds of times

Researchers have found two faux Amazon Web Services packages holding concealed codes that backdoored developers’ computers when used. The codes were built into the open-source NPM JavaScript repository and downloaded hundreds of times before detection. The discoverer, Phylum researchers, reported the packages’ removal but noted that they remained accessible on npm for almost two days, indicating most systems’ failure to immediately identify them. This incident underlines a broader trend of increasingly complex attacks aimed at open-source repositories.