Malicious npm packages detected across Red Hat Cloud Services

anoncow 1 day ago|

This seems to be sinister

shrikant 1 day ago||

Oooh now I'm wondering if this may have contributed to their Docker image distribution service getting disrupted earlier today... https://status.redhat.com/incidents/jn6r256zc62c

what_hn 1 day ago||

Same actors again?

tetsgima 1 day ago||

man we gotta do smth with preinstall hooks atp

Escapade5160 1 day ago||

Can someone give a tldr on why this happens so much with npm ? I can't recall seeing this with any other package manager. Is npm just the default used these days and therefore sees this more often?

greatgib 23 hours ago||

In addition with my usual rant about the current situation with most devs that now want to use dependencies in prod almost the day that they are released, there is something else that I just realized. A big part of the problem might be attributed to Github and the modern CI/CD frameworks.

Before, the source code was located somewhere, and the CI was usually located somewhere else, and slightly unrelated. At first, the CI job was to build ("privately") the artefacts, and they were manually released and deployed by maintainers and owner of software projects.

Then, it became the norm to have the CI located within the VCS file and the VCS located source code controlling the CI. For example having "script"/"description" of the CI actions located within the VCS itself.

Then, Github killed the CI/CD software market by offering "actions" almost for free and totally integrated within Github that was already widely used.

But still, for a long time people were wary to put tokens and security keys in Github and "public" CI/CD jobs and services.

And then, a few years ago, it became the gold standard also... You would look ridiculous to manually sign and deploy new releases with well guarded keys. What is expected from you is to have all your aws, github, ... secret api keys loaded in Github, and have your deployment and infrastructure provisioning automated with ("public") github accounts. All to be deployable in a second of a change being pushed.

So, obviously, the moment a hacker get control of a Github account or Github API keys, it is game over for the entire infrastructure.

Here I only referenced Github, but the bad things that it taught us became the norm and now these patterns are replicated everywhere (Gitlab, ...)

bobkb 1 day ago||

When will npm issues stop ? This has become a big pain !

Noaidi 1 day ago||

Human society, and our technology, is a fragile system built on our hubris, a cheap replacement for the Divine Eye of Providence.

bpavuk 1 day ago|

Violence!