1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 reshared this.
Lance R. Vick
in reply to Lance R. Vick • • •I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 reshared this.
Sandra
in reply to Lance R. Vick • • •federico
in reply to Sandra • • •clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to Sandra • • •Not so with the typical npm dependency tree. The culture is completely different. Your transitive dependences will typically count in the hundreds rather than a handful.
Arguably those hyper-prolific authors that maintain 390 published packages cannot even be active community members of their own packages, which could be said to be a contributing reason for that Tarr incident.
Sandra
in reply to clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to Sandra • • •Johann150 ⁂ :ipv6: :open_access: ☮
in reply to Lance R. Vick • • •Beko Pharm
in reply to Johann150 ⁂ :ipv6: :open_access: ☮ • • •Now if you've for _some_ weird reason a system that requries some _older_ build target you get a polyfill.
That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.
Anyway, the issue is very real. This happened before and will happen again.
It's also the very same for most language depending package managers out there and this is why version pinning is a thing.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Ryuno-Ki
in reply to Beko Pharm • • •@Johann150
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Beko Pharm
in reply to Ryuno-Ki • • •No 2FA on your Google Dev account? Too bad 🙃
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Elena ``of Valhalla''
in reply to Ryuno-Ki • •With npn it happens more often because of the higher visibility, of the culture of tiny libraries that multiplies the attack surface by a few orders of magnitude and other social factors.
like this
Jens Finkhäuser 🌻, Ryuno-Ki, Beko Pharm, federico e clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Ryuno-Ki reshared this.
Elena ``of Valhalla''
in reply to Elena ``of Valhalla'' • •One where everybody can upload, and I as a moderately competent software person can go to discover new things, review them (both as code and as maintainership situation), decide whether or not I want to trust them.
And another where I as a tired person who needs the software|library *now* can go and get things (and trust automatic updates) knowing that somebody has already given them at least a bit of review, that there are automatic systems in place to keep checking that it keeps working, that there are procedure in place to substitute the people involved in this review if they disappear, if there are security patches I will get them applied without having to upgrade to a completely new version at a random time and basically all the things that I would have to do personally to safely use in production code taken directly from the first layer.
like this
Sandra, Wolf480pl, Ryuno-Ki, clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛, like jam or bootlaces, Your friendly 'net denizen e parenTessaLation like this.
reshared this
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 e Pirate Praveen reshared this.
Wolf480pl
in reply to Elena ``of Valhalla'' • • •like this
MovedSinyx e clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Wolf480pl
in reply to Wolf480pl • • •Elena ``of Valhalla''
in reply to Wolf480pl • •Some kind of distributed directory would be even better, but I'm not the person who will write one any time soon :D
Wolf480pl likes this.
Elena ``of Valhalla''
in reply to Wolf480pl • •¹ because that's what I use and what runs on production. substitute with fedora, arch, whatever else may apply.
like this
Wolf480pl, federico, MovedSinyx e clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Ryuno-Ki
in reply to Elena ``of Valhalla'' • • •Nor using Docker or VMs.
(Anybody want to stop getting notified?)
@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150
federico
in reply to Ryuno-Ki • • •like this
MovedSinyx e clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Ryuno-Ki
in reply to federico • • •So far I only used chroot for repairing broken installations.
@valhalla
federico
in reply to Ryuno-Ki • • •https://www.enricozini.org/blog/2021/debian/gitlab-runners-with-nspawn/
Most of the time you just need an ephemeral run akin to running chroot.
Gitlab runners with nspawn
Enrico ZiniElena ``of Valhalla''
in reply to Wolf480pl • •Wolf480pl likes this.
Wolf480pl
in reply to Lance R. Vick • • •Lance R. Vick
in reply to Wolf480pl • • •clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
TechnicallyPossible
in reply to Lance R. Vick • • •@wolf480pl
Lance R. Vick
in reply to TechnicallyPossible • • •If someone asks me nicely with a rubber hose, I will be obliged to hand over access.
There is a reason the name of my company is "Distrust"
Distrust should lead to Distributed Trust.
Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to clacke: inhibited exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •