Embedded malware in RC (NPM package)

140 点作者 hjek超过 3 年前

17 条评论

greenyoda超过 3 年前

See also the ongoing discussion about malware in "Coa", another NPM package: <a href="https://news.ycombinator.com/item?id=29116878" rel="nofollow">https://news.ycombinator.com/item?id=29116878</a>

评论 #29124011 未加载

schleck8超过 3 年前

And yet again, twice in a row this time.Note how the referenced Virustotal result has 40+ detections [1]. I'm still wondering why info like this isn't used by Pypi and NPM. Chocolatey has Virustotal integration for all releases.And it's not like Virustotal is the only option, there is Cape [2] for dynamic execution, Metadefender, and Intezer Analyze just to name a few.Really confusing for such a vital supply chain component to be this easily abused.One of the highlights is when someone recently used NPM to spread ransomware via a fake Roblox API package.[3][1] <a href="https://www.virustotal.com/gui/file/26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf/detection" rel="nofollow">https://www.virustotal.com/gui/file/26451f7f6fe297adf6738295...</a>[2] <a href="https://github.com/kevoreilly/CAPEv2" rel="nofollow">https://github.com/kevoreilly/CAPEv2</a>[3] <a href="https://www.reddit.com/r/programming/comments/qgz0em/fake_npm_roblox_api_package_installs_ransomware/" rel="nofollow">https://www.reddit.com/r/programming/comments/qgz0em/fake_np...</a>

评论 #29123753 未加载

评论 #29122956 未加载

评论 #29123672 未加载

tolmasky超过 3 年前

If you're interested in preventing this sort of thing, I'd appreciate comments on this [RFC](<a href="https://github.com/npm/rfcs/pull/488" rel="nofollow">https://github.com/npm/rfcs/pull/488</a>) I just submitted to npm to make install scripts opt-in instead of default behavior. While of course not perfect, this simple change would certainly go a long way in increasing the difficulty in creating these sorts of attacks, as right now as long as a computer even installs the packages in question, not even running any code in the package, the malicious program has a chance at running.RFC: <a href="https://github.com/npm/rfcs/pull/488" rel="nofollow">https://github.com/npm/rfcs/pull/488</a>Related HN post: <a href="https://news.ycombinator.com/item?id=29122473" rel="nofollow">https://news.ycombinator.com/item?id=29122473</a>

评论 #29123266 未加载

评论 #29124021 未加载

评论 #29124207 未加载

评论 #29123263 未加载

hn_throwaway_99超过 3 年前

One of the thing I wish was really much easier to do with NPM is, when running `npm update`, to only pick up the most recent compatible versions from X days ago.That is, for sensitive apps, I don't want to use versions that are less than, say, a month or so old unless I specifically override it. I want to stay up-to-date but not too bleeding edge, specifically to avoid situations like this.

评论 #29125871 未加载

评论 #29126328 未加载

binarynate超过 3 年前

This is why JS runtimes should add the ability to set permissions on a per-module basis. Deno is a step in the right direction by requiring permissions for a script to be specified (e.g. deno run --allow-read --allow-net myscript.ts), but the permissions are global for the entire script and can't (yet?) be configured differently for each module / dependency.

评论 #29125925 未加载

armchairhacker超过 3 年前

Genuinely curious: why is malware always discovered in npm packages, and not pip (python), gradle/maven (JVM), cabal (Haskell), cargo (Rust), CRAN (R), etc.? Or are there major vulnerable packages in those repos but they just don't get audited?

评论 #29128327 未加载

评论 #29127527 未加载

评论 #29128690 未加载

评论 #29129088 未加载

评论 #29128748 未加载

hjek超过 3 年前

More info: <a href="https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/" rel="nofollow">https://therecord.media/malware-found-in-coa-and-rc-two-npm-...</a>

评论 #29124831 未加载

cookiengineer超过 3 年前

Every time I see news like this, I am amazed by the absolute lack of permission management in nodejs and npm.I mean, a package.json with changing permissions and an alert or manual confirmation step could've easily fixed this.NPM is pretty much the definition of a security nightmare, because you cannot guarantee anything.Any dependency down the tree can compromise anything upstream.I think that package managers must offer build bots that use the source codes (git repositories) as sources of truth rather than their own packages. That's the only way that comes to mind to guarantee that the publisher of the package is actually the same owner.If a git repo changes, warn all users. If a permission changes, warn all users. If a header/symbol file changes, warn all users.

BonoboIO超过 3 年前

Using npm is like russian roulette. Someday it makes your head hurt really bad!

qwerty2021超过 3 年前

I checked the readme of both those packages and I can't for the life of me understand why would anyone use either of them.Why the fuck do all these leftpad is-even hello-world tic-tac-toe packages have millions of downloads?

评论 #29122977 未加载

评论 #29122797 未加载

madjam002超过 3 年前

This is like the third one this week right?I know people keep saying about post-install should be opt out but then malware will just wait for first run instead.How about an option to refuse to install any packages that have been published in the past week/2 weeks? That way hopefully malware like this would have been spotted before you end up running it locally.

评论 #29124753 未加载

评论 #29125520 未加载

bluefox超过 3 年前

Is the advisory genuine?It links to the github repo, where the latest commit is from 2018 for version 1.2.8.It links to npmjs page, that shows 48 versions, where the latest version is 1.2.8 from "3 years ago".Yet it has 1.2.9/1.3.9/2.3.9 for "Affected versions".Did npmjs "revert" these versions and any clue of their existence? The npmjs page links to dominictarr's repository. The npmjs site doesn't seem to have a "who owns this package name" besides the repository/homepage links. Very confusing.I remember some years ago there was some story involving the original author's handing maintainership rights to some shady dude. Is it about that time, or is it about something more current?

评论 #29127691 未加载

评论 #29125067 未加载

greggman3超过 3 年前

Would it be better for package managers to default to staying at a fixed version? I know npm defaults to semver upgrades. You say<pre><code> npm install foo@3.1.7 </code></pre> And it, by default, inserts "foo@^3.1.7" which means "anything 3.1.7 or higher but not "4.x.x".In other words, the next time someone installs the dependencies it could be 3.1.8, 3.9.7, 3.1234.999 etc...But maybe it should default to just the actual version and all upgrades should be required to be manual. Checking my HD I see I have lots of references to "rc@^1.1.6", "rc@^1.2.8" etc, all of which would install 1.2.9 if reinstall the deps

rndhouse超过 3 年前

I've created Vouch in an attempt to address this problem:<a href="https://github.com/vouch-dev/vouch" rel="nofollow">https://github.com/vouch-dev/vouch</a>Vouch lets users create and share reviews for NPM packages. Project dependencies can then be checked against those reviews.Vouch uses extensions to interface with package ecosystems. It's simple to create a new extension. Extensions currently exist for NPM, PyPi, and Ansible Galaxy.I'm currently working on a website to index known reviews and publish official reviews.I hope you guys find it useful! Drop by the Matrix channel if you have any feedback to share: #vouch:matrix.org

评论 #29124083 未加载

评论 #29124060 未加载

评论 #29124059 未加载

评论 #29124678 未加载

sva_超过 3 年前

Actually had this package installed somewhere...<pre><code> "version": "1.2.8", </code></pre> Pfew, really lucky. Going to nuke npm now.

ricardobayes超过 3 年前

Seems like a good choice to work at a cybersecurity company these days. Job security is guaranteed.

评论 #29125700 未加载

joshuanapoli超过 3 年前

How long were the compromised packages available from npm?