I’m harvesting credit card numbers and passwords from your site. Here’s how

(Cristian Nebunu) #1

Eu nu m-am gandit niciodata sa pun problema securitatii pachetelor npm in felul acesta. Voi ?

(cosmos) #2

cumva shell code ?

If an attacker successfully injects any code at all, it’s pretty much game over

Inspectia tuturor pull request-urilor la un proiect open sorce este o chestiune serioasa. Citatul mi-a placut !

(Kilo Grammer) #3

Ce vrei sa spui?

(cosmos) #4

Mda !

Parca gasisem prin articol ceva legat de inspectia detaliata a pull request-urilor la un proiect open sorce. Se poate ascunde cod obfuscat si greu de detectat. Cod cu intentii rele !

Poate nu am citit bine articolul

I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

Look ma, I’m contributing to open source!

There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.

Overall, the campaign has been a big success and my colourful console code is now directly depended on by 23 packages. One of those packages is itself depended upon by a pretty widely used package — my cash cow. I won’t mention any names, but you could say it’s left-padding the coffers.

And this is just one package. I have 6 more on the boil.

I’m now getting about 120,000 downloads a month, and I’m proud to announce, my nasty code is executing daily on a handful of Alexa-top-1000 sites, sending me torrents of usernames, passwords and credit card details

Poate sunt putin paranoic !

(Horia Coman) #5

Pachetul este luat de pe npm (sau orice alt package manager). Nu-i necesar ca ce apare in git sa se regaseasca in npm, si autorul mentioneaza asta. Asa ca o inspectie a codului unui proiect nu-i garantat sa gaseasca asa ceva.

(George Grigorita) #6

Intr-o oarecare masura snyk poate ajuta.

(Ionuț Staicu) #7