{"id":45502,"date":"2022-03-01T16:00:06","date_gmt":"2022-03-01T16:00:06","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/"},"modified":"2022-03-01T16:00:06","modified_gmt":"2022-03-01T16:00:06","slug":"this-javascript-scanner-hunts-down-malware-in-libraries","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/","title":{"rendered":"This JavaScript scanner hunts down malware in libraries"},"content":{"rendered":"<p>Socket, the biz behind the Wormhole file transfer web app, on Tuesday plans to introduce a security scanning app also called Socket to defend against supply-chain attacks in the JavaScript ecosystem.<\/p>\n<p>For those developing with JavaScript and related technologies, GitHub&#8217;s NPM Package Registry is an essential resource. It&#8217;s the home of more than 1.8 million packages \u2013 libraries and modules that get added to applications as dependencies to perform useful functions.<\/p>\n<p>But its popularity has made it an attractive way to distribute malicious code, because compromised packages can reach a massive audience with minimal effort. WhiteSource, a security firm based in Israel, says that it detected and reported <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/02\/03\/npm_malware_report\/\" rel=\"noopener\">1,300<\/a> malicious npm packages last year.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/\">Socket<\/a> application aims to detect supply chain attacks before they do damage. In an email to <em>The Register<\/em>, Feross Aboukhadijeh, a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/feross\">prolific<\/a> open-source developer and co-founder\/CEO of Socket, explained that attacks on the open-source software supply chain have been getting worse since 2015 and he now sees them nearly every week.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The situation became bad enough, he said, that he felt it was necessary to vet the open source dependencies in <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/04\/09\/wormhole_file_transfer\/\" rel=\"noopener\">Wormhole<\/a>, a web-based file transfer app promising security through encryption. &#8220;I didn&#8217;t feel comfortable telling people to trust our service with their most precious data when malware could be lurking in any dependency that we update to a new version,&#8221; he explained.<\/p>\n<p>Aboukhadijeh said the standard approach has been to scan for known vulnerabilities, or CVE-labeled flaws. But these kinds of programming blunders take a long time to discover and for public reports to appear, and finding and fixing these types of bugs is not on the same level as identifying deliberately compromised dependencies.<\/p>\n<h3 class=\"crosshead\"> <span>The 200-day gap<\/span><br \/>\n<\/h3>\n<p>Pointing to a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.ncbi.nlm.nih.gov\/pmc\/articles\/PMC7338168\/pdf\/978-3-030-52683-2_Chapter_2.pdf\">2020 research paper<\/a> [PDF] that found malware typically lurks in hosted packages for 200 days before being detected, Aboukhadijeh said it was clear that bad packages had to be caught before they got integrated into developers&#8217; apps.<\/p>\n<p>For Wormhole, that meant auditing every open-source package in the app.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Fortunately, most supply chain attacks follow a similar pattern (stealing environment variables, sending data to the network, etc.) so we built a tool that would have caught all of the recent NPM supply chain attacks,&#8221; explained Aboukhadijeh. &#8220;The tool analyzes the actual behavior of the package instead of relying on stale data in a CVE database.&#8221;<\/p>\n<p>There are already a great many vulnerability scanning and static analysis tools available. But according to Aboukhadijeh, these fail to stop the supply-chain attacks on NPM that we&#8217;ve seen \u2013 <code>ua-parser-js<\/code>, <code>coa<\/code>, <code>rc<\/code>, <code>colors<\/code>, <code>faker<\/code>, <code>event-stream<\/code>, <code>eslint-scope<\/code>, and so on.<\/p>\n<p>&#8220;Traditional vulnerability scanning tools merely look up the package versions you\u2019re using and compare them to public CVE data in the National Vulnerability Database,&#8221; Aboukhadijeh said. &#8220;When they find a match, they send you an alert to upgrade to a new version.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Traditional static analysis tools are way too noisy when run on third-party code, and don\u2019t provide actionable results. Socket, on the other hand, is intended to provide meaningful advice.<\/p>\n<div class=\"CaptionedImage width_85\"><a href=\"https:\/\/regmedia.co.uk\/2022\/03\/01\/socket_image.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2022\/03\/01\/socket_image.png?x=648&amp;y=307&amp;infer_y=1\" alt=\"Screenshot of Socket app\" title=\"Screenshot of Socket app\" height=\"307\" width=\"648\"><\/a><\/p>\n<p class=\"text_center\">Click to enlarge<\/p>\n<\/div>\n<p>The app looks for malware, typo-squatting, hidden\/obfuscated\/minified code, the introduction of risky APIs (filesystem, network, <code>child_process<\/code>, <code>eval()<\/code>), and suspicious updates. It currently supports <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/npm\/issue\">70 detections<\/a> across five categories: supply chain risk, quality, maintenance, known vulnerabilities, and license problems.<\/p>\n<p>&#8220;Socket uses static analysis (and soon, dynamic analysis) to characterize the behavior of a package and determine what capabilities it uses, which we call &#8216;capability detection,'&#8221; said Aboukhadijeh. &#8220;For instance, to determine if an npm package <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/npm\/issue\/networkAccess\">uses the network<\/a>, Socket looks at whether `fetch()`, or Node\u2019s `net`, `dgram`, `dns`, or `http` or `https` modules are used within the package or \u2013 and this part is key \u2013 any of its dependencies. We also look for redundant signals, such as the presence <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/npm\/issue\/urlStrings\">URL or IP address fragments in strings<\/a>.<\/p>\n<p>The app also looks at what&#8217;s going on outside the code in analyzed packages, to detect, for example, efforts to quietly acquire a popular package and then subvert it.<\/p>\n<p>&#8220;Some of the most valuable security signals come from side channels such as maintainer behavior,&#8221; said Aboukhadijeh. &#8220;Socket detects &#8216;<a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/npm\/issue\/unstableOwnership\">unstable ownership<\/a>&#8216; which is when a new maintainer is given publish permission on a package. We also detect when packages are published out of chronological order because attackers often publish new patches on old major versions which still have a lot of usage.&#8221;<\/p>\n<p>It also looks for typo-squatting, which involves submitting a package to NPM that&#8217;s named in a way that&#8217;s confusingly similar to another package, in the hope of tricking developers into installing the malicious version.<\/p>\n<h3 class=\"crosshead\"> <span>Really opening up security<\/span><br \/>\n<\/h3>\n<p>Aboukhadijeh said those testing the app have already caught multiple instances of malware that they&#8217;ve reported and NPM has removed.<\/p>\n<p>&#8220;Beyond outright malware, Socket users have discovered an interesting new open source trend: some maintainers have started <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\/npm\/issue\/telemetry\">including telemetry in their packages<\/a> to gather runtime usage statistics,&#8221; said Aboukhadijeh. &#8220;This is similar to how websites include trackers such as Google Analytics. We have already added a detection in Socket for this issue so companies can detect and block telemetry from their open source. We\u2019re keeping an eye on this trend.&#8221;<\/p>\n<p>Aboukhadijeh said his company wants to open up Socket&#8217;s tools to security researchers who are looking for NPM malware and said those interested should get in touch.<\/p>\n<div class=\"promo_article\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2017\/07\/14\/backdoor_key_shutterstock.jpg?x=174&amp;amp;y=115&amp;amp;crop=1\" width=\"174\" height=\"115\" alt=\"Backdoor key\"><\/p>\n<h2 title=\"Dodgy JavaScript code downloaded hundreds of times\">Malicious backdoored NPM package masqueraded as Twilio library for three days until it was turfed out<\/h2>\n<p><a href=\"https:\/\/www.theregister.com\/2020\/11\/03\/malicious_npm_package_masquerading_as\/\"><span>READ MORE<\/span><\/a><\/div>\n<p>Socket is currently available as an integrated GitHub app \u2013 clicking the install button from the Socket website takes you to a GitHub permission prompt. Once authorized, it runs with each pull request, evaluating changes to package manifest files such as package.json. When a new dependency gets added, Socket will evaluate it and leave a comment if it&#8217;s a security risk, said Aboukhadijeh.<\/p>\n<p>There&#8217;s a Socket CLI and API in the pipeline. And the service is free for public repos, a benefit also available to private repos for a limited time. Socket package search and package health scores are available at no cost from the company&#8217;s <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/socket.dev\">website<\/a>. Socket integrations, such as the GitHub app, are free for open source repositories, &#8220;forever&#8221; we&#8217;re told. For private repos, the service is free while beta testing is going on. Pricing for private repos after general availability has yet to be decided.<\/p>\n<p>&#8220;In the coming weeks, we&#8217;ll ship a new detection for packages with maintainers who use email addresses with expired domains, which is a huge risk factor for package hijacking,&#8221; Aboukhadijeh said. &#8220;We&#8217;re also working on new signals such as maintainer reputation, maintainer burnout, and maintainer security practices (2FA enabled, code signing, security policy posted).&#8221;<\/p>\n<p>&#8220;Our goal is for Socket to provide the most comprehensive open source risk analysis on the market, and that means analyzing the full picture \u2013 from maintainers and how they behave, to open-source codebases and how they evolve.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2022\/03\/01\/socket_npm_dependency_scanner\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stick a fork in this Socket and zap malicious NPM packages Socket, the biz behind the Wormhole file transfer web app, on Tuesday plans to introduce a security scanning app also called Socket to defend against supply-chain attacks in the JavaScript ecosystem.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-45502","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-01T16:00:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"This JavaScript scanner hunts down malware in libraries\",\"datePublished\":\"2022-03-01T16:00:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/\"},\"wordCount\":1147,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/\",\"name\":\"This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2022-03-01T16:00:06+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/this-javascript-scanner-hunts-down-malware-in-libraries\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"This JavaScript scanner hunts down malware in libraries\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/","og_locale":"en_US","og_type":"article","og_title":"This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-03-01T16:00:06+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"This JavaScript scanner hunts down malware in libraries","datePublished":"2022-03-01T16:00:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/"},"wordCount":1147,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/","url":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/","name":"This JavaScript scanner hunts down malware in libraries 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2022-03-01T16:00:06+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Yh5DXenRs0vuOI7cXaEi0AAAAE8&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/this-javascript-scanner-hunts-down-malware-in-libraries\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"This JavaScript scanner hunts down malware in libraries"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=45502"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45502\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=45502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=45502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=45502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}