Malicious npm packages detected across Red Hat Cloud Services

Posted by kurmiashish 5 hours ago

Malicious npm packages detected across Red Hat Cloud Services(github.com)

633 points | 336 commentspage 2

exabrial 4 hours ago|

NPM broken by design. And the NIH syndrom that runs rampant in the community wont let them do anything simple.

beart 1 hour ago|

I don't follow your second sentence. Doesn't npm have the opposite problem of 'not invented here'? By adopting many external packages rather than developing in-house, npm projects tend to have large, complex dependency trees. It has long been the complaint that packages such as https://www.npmjs.com/package/is-windows create potential vulnerabilities and maintenance headaches, when writing the same piece of code directly is so simple.

majorbugger 4 hours ago||

I would like to meet the person behind the "postinstall scripts" idea and try to understand how they thought it was a good idea.

MadrasTh0rn 2 hours ago|

Y'know just to talk a little bit

voidUpdate 5 hours ago||

One thing I've never understood is why NPM allows packages to run code immediately after they are installed. What's the use case for that? A package should just be some code you can call on at runtime

tom1337 5 hours ago||

Some packages need to build native dependencies. sharp for example needs to build libvips on the system [0] to work

0: https://github.com/lovell/sharp/blob/main/install/build.js

vinnymac 4 hours ago|||

I’ve always felt this automation shouldn’t exist at all, but should rather be selectively controlled via a hook. The hooks yarn offers out of the box for example can be used to run any code you need to after install. Putting the project owner in control instead of the dependency.

yread 1 hour ago|||

Nuget/.NET ecosystem just handles it so much better. Netvips assumes libvips is available and they provide packages for common platforms. No need to waste electricity rebuilding stuff, or install native build chains, build and test deps. Similar for Skia or Sqlite or whatever.

mark_l_watson 4 hours ago||

I turn off running scripts on installation. So far, no inconveniences.

Sudhanshu2310 5 hours ago||

We have done the complete analysis and there are 32 packages share the same publishing pipeline. https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hu...

Surac 3 hours ago||

Npm is just borked by design. I hop it will take javascrip with it

rochak 4 hours ago||

If this is what will take for folks to move away from JS ecosystem, I'll take it.

renox 4 hours ago||

Bah, I think that these kind of vulnerabilities exist in any "packaging ecosystem" where the base language offer "ambient authorities"(any library can access your filesystem) which is .. all of them! AFAIK only research languages do not provide these ambient authorities :-(

czbond 3 hours ago|||

I am not a JS dev, but had to interact with the ecosystem some. It became so bad I won't install anything without it being in a Docker or Podman container.

jollyllama 3 hours ago|||

This x1000. This is the culmination of 15 years of frontend dev culture. Why does RedHat even have an NPM repo?

kogasa240p 3 hours ago||

Seconded

indy 5 hours ago||

This is a completely unexpected turn of events that no one could have possibly foreseen.

zeraye 2 hours ago||

There is some effort to make NPM more secure https://github.com/npm/cli/pull/9360.

arianvanp 5 hours ago||

Given they use nx my bet is on developer laptop compromise through the nx vscode extension that also compromised GitHub engineer's laptop

dist-epoch 4 hours ago|

the security of their packages should not depend on one laptop being compromised

More comments...