NPM is an unbootstrapped dumpster fire.
Well it does stand for Node Packaged Malware soooo
It takes like 2GB worth of dependencies just to install a single library.
This is exactly why distros decided to package pypi, npm and several other scripting package managers- just to make sure you don’t break dependency.
Actually, with something like Fedora Hummingbird you can choose a different point of distribution, relying on human moderators instead of automated processes.
Of course there’s always chainguard.
Node in general. Especially the core devs.
npm is finally going to disable postinstall scripts by default in the next major version at least, copying what other JS package managers like pnpm do. They also added a setting for minimum age (only install package versions that are at least X days old) which is meant to help too - the idea being that malware will have been detected and removed before anyone installs it.
People use third-party Linux package repos all the time though, and they have similar attack vectors. If I can convince you to add my Debian/RPM/whatever repo, I can create a package with the same name as a common one but with a newer version number, and
apt upgradewill happily replace the official package with my malicious one.This is intentional for several reasons (e.g.
deb.sury.orghas PHP packages that replace the official Debian ones) but I’m really surprised we don’t see more supply chain attacks via third party deb/rpm repos.Maybe it’s because the barrier to entry is higher? With a custom deb repo (either self-hosted or using something like Packagecloud or Ubuntu PPA), you need to create the repo, create Debian packages, add them to the repo (eg using Aptly), GPG sign the repo, and convince people to add the repo. npm is just one repo with everything in it.
Convincing people to use it is also hard.
When I’m looking for a package that’s not in the official repos, I add only either popular repos with active maintainers who do regular updates or ones from packagers I know personally.
First one is hard to fake for obvious reasons. I guess someone could try to know me personally and somehow engineer a situation where I would want to have a piece of software that they package, but that’s arguably even harder to pull off and is certainly not worth it for stealing one nerd’s worth of money.
not only do you have to setup the infrastructure to host multiple repositories (deb, rpm), you also have to build and deploy multiple packages of sufficient quality that you don’t break something else, which for a common/popular package would make the malware immediately noticeable.
OOTL
lemmy loop you in: https://infosec.exchange/@ifin/116735279416101129
TL;DR; lots of aur packages got hijacked and install a infostealer, if you updated today/yday, there is a reasonable chance you got hit by it :(
also: the info stealer is installed by aur via npm
I bet you’ve been itching to drop that clever pun out for quite some time lol
If you are too stupid to read the
PKGBUILDthen you probably deserve it.People tend to read them the first time when installing stuff, yet rarely think about the scenario of a well used package taken over by a malicious actor making changes.
Weird way to out yourself but
