Technology @lemmy.world btaf45 @lemmy.world 4mo ago

Hundreds of code libraries posted to NPM try to install malware on dev machines

arstechnica.com Hundreds of code libraries posted to NPM try to install malware on dev machines

These are not the the developer tools you think they are.

Programming @programming.dev mox @lemmy.sdf.org 4mo ago

arstechnica.com /security/2024/11/javascript-developers-targeted-by-hundreds-of-malicious-code-libraries/

82 7

33 comments

Why can't we have nice things instead.
- I mean, this kind of stuff was going to happen.
  
  The more-important and more-widely-used open source software is, the more appealing supply-chain attacks against it are.
  
  The world where it doesn't happen is one where open source doesn't become successful.
  
  I expect that we'll find ways to mitigate stuff like this. Run a lot more software in isolation, have automated checking stuff, make more use of developer reputation, have automated code analysis, have better ways to monitor system changes, have some kind of "trust metric" on packages.
  
  Go back to the 1990s, and most everything I sent online was unencrypted. In 2024, most traffic I send is encrypted. I imagine that changes can be made here too.
  
  I believe you. There is no AI ever made that could have as bad a grammar as you. ;)
- Because people have forgotten that bad actors exist.
I mean programming language package managers are just begging to be used as an attack vector. This is why package management should be an OS responsibility across the board and only trusted package sources and publishers should ever be allowed.
- Or at the very fucking least require specific versions with checksums, like golang.
  
  I really think every package repository should be opt in and every publisher should be required to verify their identity and along with checksum verification for the downloaded files.
- There's also the alternatives of making your own library. I'm happy to use minimal amount of 3rd parties and just make my own instead.
- I'm not sure I understand what you are saying. What part of the OS should managed the packages? The creators aka. Microsoft/Linux foundation/Apple/Google, the distributor, or a kernel module? What about cross platform package managers like Nuget, gradle, npm?
  
  What part of the OS should managed the packages?
  
  The OS package manager. This is already a thing with Python in apt and pacman, where it will give you a fat warning if you try to install a package through pip instead of the actual OS package manager (i.e. pacman -Syu python-numpy instead of pip install numpy)
Tale as old as time.
- 🎶 Beauty and the beast
I don't know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: 'vendoring'. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.
- NPM has that as well. In fact most languages and build tools support that. It's actually rare to not have support for that these days.
  
  Yes. I can't imagine being foolish enough to automatically update your external dependencies when you don't need to.
  
  Ah, good. I wonder why it isn't used more often -- this wouldn't be such a huge problem then I would hope. (Let me guess -- 'convenience', the archenemy of security.)
- I don't think that that's a counter to the specific attack described in the article:
  
  The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.
  
  That'd be a counter if you have some known-good version of a package and are worried about updates containing malicious software.
  
  But in the described attack, they're not trying to push malicious software into legitimate packages. They're hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).
- That won't prevent typo squatting. This article is a out people wanting to add a dependency to "famousLib" and instead typing "famusLib".
  
  What probably help more in Go is the lack of a central repo so you actually need to "go get github.com/whoever..." so typo squatting is a bit be a bit more complicated.
  
  On the other hand it will be an easy fix in NPM by simply adding a check to libraries names and reject names that are too similar since it's centralized.
- I'm with you but I have regrettably been sucked into the node-i-verse against my will.
Good thing people expect no promises of security from javascript anyway.
- I just love async await
Does anyone know how JSR and Deno would do in this type of attack?
That's also why I always use dev containers
This should kill off NPM
- You’d be surprised to see how many common libraries have vulnerabilities every week.
  
  As well as how many common JS libraries, while not malicious have no business existing (ex. IsEven).
- Why stop there lets just kill js in its entirity.
  
  Not really a language-specific problem. Like, there are numerous languages that have distribution mechanisms for libraries that might potentially be malicious.
  
  Only way I can think that the language might be a factor would be if a language were designed to only run in a restricted mode.

33 comments