Salta al contenuto principale

1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
in reply to Lance R. Vick

Lance R. Vick
Lance R. Vick

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

in reply to Lance R. Vick

Sandra
Sandra
Why is it so much more often NPM we see in these disasters and so seldom Debian or even Gem or CPAN?
in reply to Sandra

federico
federico
Because in #Debian it takes multiple pairs of eyes to review and approve a package. Packages are signed and Debian Developers sign each other cryptographic keys after meeting in person and verifying passports. To become a Debian Developer one needs to prove commitment by contributing for years, receiving mentoring and passing interviews and exams.
#Debian
in reply to Sandra

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

It is theoretically possible to be a an active community member in the projects of your pypi/CPAN/rubygems/Debian dependencies.

Not so with the typical npm dependency tree. The culture is completely different. Your transitive dependences will typically count in the hundreds rather than a handful.

Arguably those hyper-prolific authors that maintain 390 published packages cannot even be active community members of their own packages, which could be said to be a contributing reason for that Tarr incident.

Questa voce è stata modificata (2 anni fa)
in reply to Sandra

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
It's entirely cultural when you're comparing pypi, rubygems and npm. For Debian as noted by @federico there are clear governance differences.
@federico
Questa voce è stata modificata (2 anni fa)
in reply to Lance R. Vick

Johann150 ⁂ :ipv6: :open_access: ☮
Johann150 ⁂ :ipv6: :open_access: ☮
foreach sounds like a package that you shouldnt need with Array.prototype.forEach ​:blobfoxthonking:
in reply to Johann150 ⁂ :ipv6: :open_access: ☮

Beko Pharm (deprecated)
Beko Pharm (deprecated)

yes, that's true. It made it into ECMAScript 5.1

Now if you've for _some_ weird reason a system that requries some _older_ build target you get a polyfill.

That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.

Anyway, the issue is very real. This happened before and will happen again.

It's also the very same for most language depending package managers out there and this is why version pinning is a thing.

in reply to Beko Pharm (deprecated)

Ryuno-Ki
Ryuno-Ki
So it could happen to PyPI (Python), RubyGems (Ruby), Crates (Rust), … too :-(
@Johann150
@Johann150 ⁂ :ipv6: :open_access: ☮
in reply to Ryuno-Ki

Beko Pharm (deprecated)
Beko Pharm (deprecated)

…and browser extensions and game mods. Heck, whatever allows to regain access to an account via mail basically.

No 2FA on your Google Dev account? Too bad 🙃

in reply to Ryuno-Ki

Elena ``of Valhalla''
Elena ``of Valhalla''

Attacks on PyPI (the one I know best) and the others based on the fact that anybody can upload a new package have already happened and will keep happening.

With npn it happens more often because of the higher visibility, of the culture of tiny libraries that multiplies the attack surface by a few orders of magnitude and other social factors.

Ryuno-Ki reshared this.

in reply to Elena ``of Valhalla''

Elena ``of Valhalla''
Elena ``of Valhalla''

Personally I very much prefer to live in a world where there are two layers in the distribution of software (libraries).

One where everybody can upload, and I as a moderately competent software person can go to discover new things, review them (both as code and as maintainership situation), decide whether or not I want to trust them.

And another where I as a tired person who needs the software|library *now* can go and get things (and trust automatic updates) knowing that somebody has already given them at least a bit of review, that there are automatic systems in place to keep checking that it keeps working, that there are procedure in place to substitute the people involved in this review if they disappear, if there are security patches I will get them applied without having to upgrade to a completely new version at a random time and basically all the things that I would have to do personally to safely use in production code taken directly from the first layer.

in reply to Elena ``of Valhalla''

Wolf480pl
Wolf480pl
The second layer is called "distros" :P
in reply to Wolf480pl

Wolf480pl
Wolf480pl
also, since with the first layer you have to re-audit with every update, you may as well vendor that dependency (as in, put a copy of a specific version in your repo), so arguably github could be enough as the first layer
in reply to Wolf480pl

Elena ``of Valhalla''
Elena ``of Valhalla''

Honestly having a central point for all things python which is just little more than a directory feels nicer than the alternative of having to go through github, condemning to oblivion everybody who wants to host elsewhere (including self-host).

Some kind of distributed directory would be even better, but I'm not the person who will write one any time soon :D

in reply to Wolf480pl

Elena ``of Valhalla''
Elena ``of Valhalla''

Also, my personal choice rather than vendoring would be to package and upload for debian¹: 90+% of the work has already been done, I might as well do the last bit and make my work useful for everybody else.

¹ because that's what I use and what runs on production. substitute with fedora, arch, whatever else may apply.

in reply to Ryuno-Ki

federico
federico
Each project can be installed with the required OS dependencies. In case you need to test something against an older Debian release you can just use a simple chroot or systemd-nspawn as a container. Less messy and more secure than docker.
in reply to federico

Ryuno-Ki
Ryuno-Ki

That sounds like something I need to research more.

So far I only used chroot for repairing broken installations.
@valhalla

@Elena ``of Valhalla''
in reply to Ryuno-Ki

federico
federico
There's a series of articles starting from:
enricozini.org/blog/2021/debia…
Most of the time you just need an ephemeral run akin to running chroot.

Gitlab runners with nspawn

Enrico Zini
in reply to Wolf480pl

Lance R. Vick
Lance R. Vick
Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can't trust NPM.
in reply to TechnicallyPossible

Lance R. Vick
Lance R. Vick

I don't recommend trusting me... or any single individual, with this kind of power.

If someone asks me nicely with a rubber hose, I will be obliged to hand over access.

There is a reason the name of my company is "Distrust"

Distrust should lead to Distributed Trust.

Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
github.com/dominictarr/event-s…
Questa voce è stata modificata (2 anni fa)

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.