More NPM Fun
-
NPM Package Steals Chrome Passwords via Legit Password-Recovery Tool
In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass.
The author of the malicious tool uploaded some of his own credentials in the process of publishing this junk.
-
“It appears that the published versions 1.1.1 and 1.1.2 from the npm repository include the results of testing the ChromePass tool on the author’s personal computer,” researchers observed. “These login credentials were stored in the ‘a.txt’ file located in the same folder as the password-recovery tool, named ‘a.exe’.”
LOL
-
The more I hear about NPM and similar things, the more I'm convinced that the only possible reaction to anything(1) is "run away and scream!".
(1) Anything. Even people running away and screaming rates that reaction.(2)
(2) Inspired by https://xkcd.com/1170/ but kind of the opposite reaction.
-
@Steve_The_Cynic said in More NPM Fun:
I'm convinced that the only possible reaction to anything(1) is
"run away and scream!"GAU-8.FTFY
-
@HardwareGeek said in More NPM Fun:
@Steve_The_Cynic said in More NPM Fun:
I'm convinced that the only possible reaction to anything(1) is
"run away and scream!"GAU-8.FTFY
That too. But run away and scream first.
-
-
@dkf as usual, Linux folks are left out of the malware.
-
@Gąska Script kiddies just aren't all that good at proper software engineering; they almost never write proper portable code.
-
@dkf said in More NPM Fun:
@Gąska quoted in More NPM Fun:
the password-recovery tool, named ‘a.exe’.
Not called
a.out?
IICT gcc (all versions—mingw32, mingw64, msys, cygwin, djgpp…) will give you
a.exeon Windows by default.
-
On a more serious note, I am thinking that
- All node-based development should, from now on, be done in devcontainers. Front-end folks around here mostly use VSCode already, so it wouldn't even be much of a change.
- Docker should be configured to provide extra layer of firewalling of outgoing connections to the devcontainers. Unfortunately while CNI has a standard firewall plugin, information on getting it to work with Docker is a mess, because a lot out there on the 'net is hopelessly out-of-date—or not written yet as in case of latest containerd (which is underneath docker these days) that mentions CNI in it's config dump, but it's documentation does not.
-
@Bulb I'm all for containerizing node.js devs. We're talking about the kind of containers that you put on a freight ship and then don't see or hear from for a number of months (or ever), right?
-
@cvi said in More NPM Fun:
We're talking about the kind of containers that you put on a freight ship and then don't see or hear from for a number of months (or ever), right?
Funeral urns are containers too!
-
@cvi said in More NPM Fun:
@Bulb I'm all for containerizing node.js devs. We're talking about the kind of containers that you put on a freight ship and then don't see or hear from for a number of months (or ever), right?
A stronger containerization approach involves sealing the containers then placing them in an outer container and filling the slack with molten lead.
-
@Bulb said in More NPM Fun:
devcontainers.
The shitty part of working with containers and emulators is that there are multiple competing hypervisors and you can only have one enabled at a time. I can't run Docker on this machine because it needs Hyper-V and I have to run vagrant with VirtualBox.
Supposedly this can be made to work but when I've tried it, it doesn't.
-
@error said in More NPM Fun:
I can't run Docker on this machine because it needs Hyper-V and I have to run vagrant with VirtualBox.
Supposedly this can be made to work but when I've tried it, it doesn't.I had Docker, for a time, run on Windows using VirtualBox. The thing is to ditch the Docker-for-Desktop POS and install the other tool called docker-toolbox. That can start a Linux VM using any of the hypervisors. It's a bit less comfortable as it does not have any GUI, but it might even be a bit more reliable (Docker-for-Desktop seems prone to breaking itself on upgrades).
-
@error said in More NPM Fun:
The shitty part of working with containers and emulators is that there are multiple competing hypervisors and you can only have one enabled at a time.
Of course the whole point of containers is that they don't need a hypervisor at all—on Linux where they originated. Unfortunately Windows can't do it without a hypervisor, and are in this competing hypervisor fix in part because Hyper-V tooling sucks.
-
@error said in More NPM Fun:
I have to run vagrant with VirtualBox.
Why? Vagrant does have Hyper-V driver. You'd have to convert the images, yes, but it should be doable.
-
@Bulb said in More NPM Fun:
@error said in More NPM Fun:
I have to run vagrant with VirtualBox.
Why? Vagrant does have Hyper-V driver. You'd have to convert the images, yes, but it should be doable.
The images are generated by my employer.
-
@error … and you are all using Windows and VirtualBox? That's a
.You can still try using the docker-toolbox in case you have a need for that (for Linux containers; Windows containers require docker-for-desktop and Hyper-V).
-
Docker can also run on the WSL (Windows Sub-system for Linux) instead of Hyper-V; WSL is not incompatible with VirtualBox. I have Vagrant and Docker running on my Windows machine as we speak. I think I may have had to upgrade Vagrant+VirtualBox, which luckily didn't break anything.
Our VP definitely regrets going with Vagrant lol
-
-
@konnichimade said in More NPM Fun:
WSL (Windows Sub-system for Linux) instead of Hyper-V; WSL is not incompatible with VirtualBox.
Ah, I thought that WSL did rely on Hyper-V under the hood, but if it does not (I use Linux these days), it makes things a lot easier.
-
-
@error said in More NPM Fun:
I can't run Docker on this machine because it needs Hyper-V and I have to run vagrant with VirtualBox.
When did you last try? According to @konnichimade it should not need it any more.
-
@Bulb said in More NPM Fun:
Ah, I thought that WSL did rely on Hyper-V under the hood
It's been a while since I set it up, but it's all working together so it must not. Maybe WSL 1 did, and maybe WSL 2 doesn't?
-
@konnichimade I know it used to need it before even WSL1. I think WSL1 didn't need it, but I also believe WSL1 could not run docker. I don't know whether WSL2 does, because I am not using Windows any more.
-
@error said in More NPM Fun:
@Bulb said in More NPM Fun:
devcontainers.
The shitty part of working with containers and emulators is that there are multiple competing hypervisors and you can only have one enabled at a time. I can't run Docker on this machine because it needs Hyper-V and I have to run vagrant with VirtualBox.
Supposedly this can be made to work but when I've tried it, it doesn't.
I was in a similar situation on a previous contract, and I ended up running Docker inside a Linux VM in Virtualbox
-
@Bulb said in More NPM Fun:
I also believe WSL1 could not run docker.
I think you're right.
I don't know whether WSL2 does
I am running Docker in Windows on WSL2, and it doesn't break VirtualBox+Vagrant, so I guess it doesn't use HyperV. ¯\_(ツ)_/¯
-
-
@konnichimade It worked well enough and was a welcome respite after a day and some change of fighting with it to try to get it working in Windows
-
@konnichimade … which is precisely what docker itself did before WSL2 anyway.
-
@error said in More NPM Fun:
@Bulb said in More NPM Fun:
@error said in More NPM Fun:
I have to run vagrant with VirtualBox.
Why? Vagrant does have Hyper-V driver. You'd have to convert the images, yes, but it should be doable.
The images are generated by my employer.
Not a problem. They would love it if you messed with them, most likely. Because very likely, they no longer can.
Day 1, one place, I got to rewrite the install script (so, the init scripts) and repackage the RPM for their monitoring package for my ill-chosen Linux laptop. B/c it didn't work OOTB, and no further reasoning was applied.
-
Oh yeah! I remember trying to get that to work long ago. I did not succeed haha.
