Node.js trojans in the wild
-
-
Overall, the campaign has been a big success and my colourful console code is now directly depended on by 23 packages. One of those packages is itself depended upon by a pretty widely used package — my cash cow. I won’t mention any names, but you could say it’s left-padding the coffers.
lmao
-
by @Lorne-Kates in the backyard with a rusty shovel:
-
Somebody was inspired:
-
@captain And he does say he didn't really do it. Probably. Maybe. Assuming you trust him.
But I'm absolutely certain someone is really doing this.
-
@magus The fact that they've found one does nothing to increase my confidence that there aren't others they've missed
-
@jaloopa said in Node.js trojans in the wild:
@magus The fact that they've found one does nothing to increase my confidence that there aren't others they've missed
Since I've seen posts about several packages with nefarious payloads, I'm fairly certain there are a bunch of undiscovered naughties lurking in the swampshack that is npm.
-
@carnage butbutbut open source! Many eyes make bugs shallow
-
@jaloopa said in Node.js trojans in the wild:
@carnage butbutbut open source! Many eyes make bugs shallow
Indeed, the OpenSSL crypto bug was both shallow and caused by the many eyes of open source.
-
Really, this could happen virtually anywhere. crates.io springs to mind. In a min.js file, you can at least unpack and look at the code, but on crates.io, it's in a halfway-compiled format for statically linking, and people treat dependencies like they're free, because they are.
-
@jaloopa said in Node.js trojans in the wild:
butbutbut open source! Many eyes make bugs shallow
Bugs are found and fixed way faster in closed source
-
@carnage said in Node.js trojans in the wild:
Indeed, the OpenSSL crypto bug was both shallow and caused by the many eyes of open source.
Meh. They were using uninitialized stack garbage as a "source of entropy" for the RNG, which is a stupid idea for many reasons. It was right to fix it; they just fixed it the wrong way. (And IIRC, when the problem was discovered, they actually fixed it right instead of reverting to using uninitialized stack garbage.)
-
@timebandit said in Node.js trojans in the wild:
@jaloopa said in Node.js trojans in the wild:
butbutbut open source! Many eyes make bugs shallow
Bugs are found and fixed way faster in closed source
I refuse to believe bugs flying under the radar for over a decade doesn't happen in open source.
-
@pleegwat Well, that's getting into "prove a negative" territory. It's entirely possible that a bug has been undiscovered in a major project for a long time and no one has discovered it, simply as part of the definition of being an undiscovered bug. But is there any evidence of it, such as by a bug finally coming to light in a major open-source project and someone noticing "hey, this has been broken for 19 years!" ?
-
Excellent article. It seems no one has yet done this, but the opportunity is open.
For my current project, I'll definitely push towards fewer, more popular modules. Also, see if I can isolate payment stuff in an iFrame and maybe scramble form input names (but that would prevent browser auto-fill from working)...
-
@magus said in Node.js trojans in the wild:
But I'm absolutely certain someone is really doing this.
You know this by being the one who's done it?
Edit: 11 hours without anyone pointing out the whose/who's mistake. I am disappointed.
-
It annoys my team that I won't let them have unfettered access to nuget.org.
Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me, and nothing is getting onto it unless it's from a trustworthy vendor (i.e. MS, a small handful of others) or it passes a thorough "Do I, the worst developer in the company, upon inspecting the source, understand what it does, and deem it necessary"
And if I can't verify the alleged source actually matches the package, I fork the bastard and build our own package for it.
So far, I have...
207 packages mirrored from nuget.org
3 forks. And all of those are "Stolen from CodeProject" type stuff that never had a nuget package to start with.When the web guys start wanting to include third party packages, same is going to go for them.
-
@cartman82 said in Node.js trojans in the wild:
I'll definitely push towards fewer, more popular modules.
from all the node-related stuff I've read over the past few years, I'm not sure if this would even help -- if you pull in e.g. Babel then you're hosed because of the hundreds of transitive dependencies the large modules depend on.
-
@bb36e said in Node.js trojans in the wild:
from all the node-related stuff I've read over the past few years, I'm not sure if this would even help -- if you pull in e.g. Babel then you're hosed because of the hundreds of transitive dependencies the large modules depend on.
Babel stays on the server, doesn't get embeded into the bundled app. When they show you those huge npm module listings, only a tiny percentage of those actually get shipped to users.
-
@cartman82 oh right, the article was about code injection on the client side
-
@weng said in Node.js trojans in the wild:
proget
Edit: I wonder if I've answered any of Weng's support tickets.
-
@ben_lubar Nope.
I'm a free edition freeloader and my only contact was with the customer advocate guy who kept trying to get me to demo paid features (I ain't gonna do that until I've figured out a budget hole to stick it in. The joys of unauthorized toolchains.)
-
@weng said in Node.js trojans in the wild:
I'm a free edition freeloader
the "everyone is an admin" edition?
-
@ben_lubar I think it has userlevels, just no login federation.
Not that I've looked, because my two accounts are named "admin" and "teamcity" (I've never been able to get feed specific API keys to work, just user:password API keys, else I wouldn't even have that one)
-
@weng said in Node.js trojans in the wild:
@ben_lubar I think it has userlevels, just no login federation.
Not that I've looked, because my two accounts are named "admin" and "teamcity" (I've never been able to get feed specific API keys to work, just user:password API keys, else I wouldn't even have that one)
Ah, I'm thinking of BuildMaster. In BuildMaster Express, all users have admin access, including guests.
-
@weng said in Node.js trojans in the wild:
It annoys my team that I won't let them have unfettered access to nuget.org.
Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me...
The problem with them still having access to NuGet.org: what's stopping them from dropping the package in a file share, and adding that as a package source in NuGet.config?
-
@unperverted-vixen said in Node.js trojans in the wild:
@weng said in Node.js trojans in the wild:
It annoys my team that I won't let them have unfettered access to nuget.org.
Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me...
[snip] what's stopping them from dropping the package in a file share, and adding that as a package source in NuGet.config?
@Weng's clue by four?
-
@unperverted-vixen said in Node.js trojans in the wild:
@weng said in Node.js trojans in the wild:
It annoys my team that I won't let them have unfettered access to nuget.org.
Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me...
The problem with them still having access to NuGet.org: what's stopping them from dropping the package in a file share, and adding that as a package source in NuGet.config?
- They aren't that creative
- Murder.
-
@weng
Ah, I see you have @Lorne-Kates on retainer to deal with your special cases...
-
@weng said in Node.js trojans in the wild:
@unperverted-vixen said in Node.js trojans in the wild:
@weng said in Node.js trojans in the wild:
It annoys my team that I won't let them have unfettered access to nuget.org.
Okay, THEY can have access. The build server can't. And the only one with the keys to our proget instance is me...
The problem with them still having access to NuGet.org: what's stopping them from dropping the package in a file share, and adding that as a package source in NuGet.config?
- They aren't that creative
- Murder.
I mean, that scenario is basically the same as "what if they copy and paste a virus into the code from StackOverflow?"