Malicious npm packages detected across Red Hat Cloud Services

Posted by kurmiashish 1 day ago

Malicious npm packages detected across Red Hat Cloud Services(github.com)

764 points | 444 commentspage 7

niros_valtos 1 day ago|

[flagged]

hirra 1 day ago||

[flagged]

throwaway613746 1 day ago||

[dead]

SadErn 1 day ago||

[dead]

throwaway613746 1 day ago||

[dead]

victorrpham 1 day ago||

[dead]

calvinmorrison 1 day ago||

[dead]

hsibenMohamed 1 day ago||

Salam

ex-aws-dude 1 day ago||

Has anyone thought of having an agent review all dependency upgrades before upgrading?

I feel like that would at least catch some of these

insanitybit 1 day ago||

Yes, I do this. It absolutely would catch some of these.

asxndu 1 day ago||

[dead]

_pdp_ 1 day ago|

Why blame on NPM? Would you blame GitLab if an opensource maintainer was hacked and as a result the repo contains malicious changes?

All of these recent incidents is just developers doing stupid things ... like using their compromised devices for making production changes, which is basically a big red flag to begin with.

In fact, the entire situation has been exacerbated by coding agents because now practically everything happens on a single device that touches hundreds of different production systems with full production credentials.

gred 1 day ago||

Days since last malicious packages in NPM: 0 (evergreen)

Days since last malicious packages in PyPI: 30

Days since last malicious packages in Maven: 120

I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.

_pdp_ 1 day ago||

Except that the JavaScript / NPM ecosystem is 6-7 times larger than Python and Java / Maven.

https://chatgpt.com/share/6a1da751-0d88-832e-ace7-572bc786e0...

Check the linked resource which has the actual data.

gred 1 day ago||

Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!

_pdp_ 1 day ago||

The npm cli has bad defaults which you can turn off but they are there I presume for legacy reasons. The secure option is pnpm. The registry is fine.

Also on our comment about size differential ... it absolutely can.

If I jump from 2 meters hight it will be mildly uncomfortable. Jumping from 12 meters will result in severe injurious and possibly death. None of these things go linearly in real world conditions.

calvinmorrison 1 day ago||

no because I dont ship production software from gitlab, I use upstream maintained packages?