I saw this on X today and am curious how non-technical and technical builders are handling these types of situations. This is hiding malicious code in payloads that don’t render which to my understanding makes manual review useless. So I’m not really sure if I can use code search to see if any of the npm packages my project uses are compromised. Aikido Security found this and published an article on March 13th which I have linked.
Do we know how Replit decides which packages to use and if it scans known vulnerabilities before using those repos?
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode#:~:text=starter%20(8%20stars)-,AI-Assisted%20Camouflage,can%20prevent%20a%20serious%20infection.
1 Like
have the Aikido app plugged into my gitrepo, this already looks for the glassworm compromise, I also audit all my replit apps for npm packages and cross reference with know malicious packages.
If you are implementing any AI agents into your app you can also use this AI agent test suite (BADASS) to check for issues and dependencies abuse https://baddas-sec.com just plug the app into your githubrepo.