HN

Need help?
<- Back
Malware found on NPM infecting local package with reverse shell

Malware found on NPM infecting local package with reverse shell

gnabgib

Comments (140)

  • love2read
    The fact that http fetches and fs reads don't prompt the user are continually the craziest part of the `npx` and `package.json`'s `postinstall`.Does anyone have a solution to wrap binary execution (or npm execution) and require explicit user authorization for network or fs calls?
  • geenat
    Downloads used in infrastructure... VSCode Extensions, Github repos, PyPI, NPM, etc. all need to be scrutinized.Open source at least has the option to audit; closed source (or "closed build" stuff like 7zip) is at far higher risk: mostly just VirusTotal which mostly will not catch backdoors of this type.Mainland China, Russia, North Korea, use these vectors for corporate and government espionage: https://www.youtube.com/watch?v=y27B-sKIUHA ...XZ, Swoole are 2 examples off the top of my head.
  • phito
    Malware in a crypto-related JavaScript package. Surprised Pikachu face
  • deanc
    I'd like to see a world where the JS community focused more on improving the stdlib across the browser and in nodejs - much like bun is doing. Common packages for node such as mysql2, axios etc. are so widely used and are huge attack vectors should they ever be compromised.
  • theteapot
    Put `ignore-scripts=true` in your .npmrc
  • megadata
    Could we start a community review pool?
  • BrouteMinou
    I am reading this while downloading half the internet doing a `cargo build` for my hello world program.At least it's not the cursed javascript, right...
  • dingi
    Why does NPM always seem to have this kind of issues? Why do we rarely hear about similar problems with Maven Central, for example?
  • tedd4u
    I think the industry is going to soon look back on building with Wild West open-source repos like we looked back on not having absolutely everything running on HTTPS in the Snowden era. I know Google has "assured" open source repos for Python and Java [1]. Are there other similar providers for those and other languages?[1] https://cloud.google.com/assured-open-source-software/docs/o...
  • xyst
    People wonder why I run their shitty apps in VMs and nuke the VM afterwards.This is why, lol.
  • submeta
    What‘s the advice? Only develop in a sandbox environment? Otherwise chances are our main machines get compromised?
  • anon
    undefined
  • distalx
    The open-source ecosystem's strength is also its weakness. Relying solely on community vigilance isn't cutting it anymore.
  • vaxman
    Downloading NodeJS modules and containers from "public" data sources that are either vetted or are vetted by unknown parties, isStupid == TRUE. Play stupid games, win stupid prizes. It's unfortunately not a problem specific to Node, goes back to at least the early Linux kernel and CPAN days. As GenZ has invaded Wall Street, they have started to pay attention to this concern and call it a "supply chain integrity" issue. Ironically, GenZ also leads the charge in most companies to "trust everything" because "everyone is doing it." (In most corporations, "perception is the reality" and if everyone perceives jumping off the cliff is The Way https://youtu.be/V-SJQdREDKM)A solution is for ID.me to begin issuing developer certificates (for free to those offering themselves up as developers) and for the old system of public repositories and mirrors to be replaced by a single source of truth operated by a new entity jointly sponsored by the $15.4 Trillion worth of companies: Amazon, Google, Meta, Apple, nVidia, Tesla and Microsoft in such a way that everything in every repository can be traced back to the actual biometric signature of a developer and their related IRL context. These entity, its sponsors and ID.me also need to observe a regulation that they will NOT "track" or share information between each other (or others) about developers indexed off their developer certificates beyond what's necessary to host the repositories and to manage access to developer-only programs (such as Xcode signing, etc.) Ideally the JV will be located in Switzerland (perhaps with the hardware located in a Svalbard-like facility) using some UN supervised process (overseen by Nato, Russia, China and the Plebeians) to vet all workers.
  • JTbane
    Back in the day repositories had 'maintainers' who reviewed packages before they became included. I guess no one really cares in the web dev world; it's a free-for-all.
  • amelius
    I'm guessing we have to move to a setup where a developer enters code while being watched by an AI. Then the AI can give warnings if a line of code appears in the repository that wasn't on the developer's screen while they were looking.
  • Joel_Mckay
    "I'm shocked, shocked... well not that shocked... "It is the curse of all out-of-band package managers... where eventually some lamer shows up to ruin the fun for everybody. =3
  • hackburg
    [dead]
  • anon
    undefined
  • cute_boi
    I think they should start scanning package with the help of AI.