Malicious npm packages detected across Red Hat Cloud Services

Posted by kurmiashish 1 day ago

Malicious npm packages detected across Red Hat Cloud Services(github.com)

759 points | 444 commentspage 4

ffemac 1 day ago|

It will only get much worse because popular AI coding harness (OpenCode/KiloCode) will just download random npm packages in the background without you knowing. And the devs don't care.

Setting min age is useless if everyone is doing it. The whole point of setting min age is make someone else take the bait before you.

beart 21 hours ago|

It isn't useless. Security researchers are the ones catching a lot of these and they will certainly not wait 3 days to inspect a package.

grugdev42 1 day ago||

The joke is on you NPM! I only use CDNs for my JS libraries.

iconicBark 1 day ago||

Is this more secure?? I would genuinely love to know

bdcravens 1 day ago|||

Yes, none of npm's lifecycle hooks. You're just pulling bytes over the wire.

runtime_terror 1 day ago||

Except now you're making http calls to remote servers that could be compromised.

grugdev42 1 day ago|||

This is a solved problem.

Use HTTPS and use the integrity attribute.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...

Also, what's more likely? Someone hacking jsDelivr/cdnjs OR some random NPM packages getting hacked?

phpdave11 1 day ago||||

As long as you embed it with an SRI integrity hash, you're safe, even if the remote server is compromised.

bdcravens 1 day ago|||

Can be mitigated, as the sibling comment points out, but even in the situation you described, the blast radius is reduced, especially for frontend libs.

n_e 1 day ago|||

Yes (assuming they're doing frontend dev and including the resources from the page). The code is fetched and executed from the browser, so It'll have to escape the browser sandbox to do something nefarious.

lostmsu 1 day ago||

Same. I came back to do a little frontend work a couple of years ago and was horrified by the replacement of script tags with subresource integrity with npm and bundlers.

wg0 1 day ago||

Question - is there no way to catch these criminals?

a13n 1 day ago|

It’s difficult to determine which individuals are involved and even if you manage to do that they almost certainly live in countries without extradition.

obsidianbases1 23 hours ago||

Cool down sounds good until everyone does it and the issue isn't caught until afterwards

kittikitti 1 day ago||

I'm refactoring all my personal and research projects to utilize pure HTML/CSS without any dependency of JavaScript. This was always on the table but the cybersecurity risks from all programming languages and frameworks have increased due to AI.

I know of fundamental issues with JavaScript and see no reason why it's still standard on all web browsers.

numron-dev 1 day ago||

As a dev mostly working on Node. Those are scary title to read

Pxtl 1 day ago||

The combined features that make npm particularly vulnerable:

1) Update by default. Manually updating your package references is annoying and does lead to other security issues as you don't automatically get latest, but it makes this risk much lower.

2) Code executed on install. Statically-typed languages don't run the code until you use them, and that might not happen on the developer machine at all for first run after upgrade, it might be a lower-priv test-server.

3) Culture of many tiny modules (this is good! It's the natural way to fight NIH! Yay modularity!) means many more points-of-failure for security for this kind of attack.

replwoacause 1 day ago||

It's becoming laughable how frequently this is happening. Wow.

kogasa240p 1 day ago||

Throw the JS ecosystem into the sun at this point.

rvz 1 day ago|

This repository itself had to previously update from the axios supply chain attack [0] (co-authored by Claude lol). But just by looking at the change itself, the package is unpinned and won't solve the problem if another malicious security update happens again.

So if you have an unpinned version of this package and you run 'npm install', you immediately downloaded the compromised version and that's that.

[0] https://github.com/RedHatInsights/javascript-clients/commit/...

More comments...