| ▲ | Havoc 4 days ago |
| Really feels like these big open packages repos need a better security solution. Or at least a core subset of carefully vetted ones. Same issue with python, rust etc. It’s all very trust driven |
|
| ▲ | cgh 4 days ago | parent | next [-] |
| Is the fundamental problem with npm still a lack of enforced namespacing? In the Java world, I know there’s been griping from mostly juniors re “why isn’t Maven easy like npm?” (I work with some of these people). I point them to this article: https://www.sonatype.com/blog/why-namespacing-matters-in-pub... Maven got a lot of things right back in the day. Yes POM files are in xml and we all know xml sucks etc, but aside from that the stodgy focus on robustness and carefully considered change gets more impressive all the time. |
| |
| ▲ | hyperpape 4 days ago | parent [-] | | Nothing about this attack would be solved by namespacing, but it might have been solved by maven's use of GPG keys. | | |
| ▲ | zenmac 4 days ago | parent [-] | | isn't time NPM start to use that? Why has this taken soo long? |
|
|
|
| ▲ | lpln3452 4 days ago | parent | prev | next [-] |
| In a case like this, the package maintainer's account itself has been hacked, so I'm not sure if that would be meaningful. The only solution would be to prevent all releases from being applied immediately. |
| |
| ▲ | dherls 4 days ago | parent | next [-] | | A solution could be enforcing hardware keys for 2FA for all maintainers if a package has more than XX thousand weekly downloads. No hardware keys, no new releases. | | |
| ▲ | ozim 3 days ago | parent | next [-] | | Passkeys - no need for hardware key. They have it implemented. I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package. So the guy either had TOTP or just the pw. Seems like should be easy to implement enforcement. | |
| ▲ | winkelmann 3 days ago | parent | prev [-] | | Crucially, it would have to be set up so they need to use the hardware key when pushing any changes. Just requiring a hardware key as a login method does nothing to protect against token stealing, which I believe is the most common form of supply chain attack right now. |
| |
| ▲ | dsff3f3f3f 4 days ago | parent | prev [-] | | There needs to be a massive push from the larger important packages to eliminate these idiotic transitive dependencies. Core infrastructure shouldn't rely on trivial packages maintained by a single random person from who knows where that can push updates without review. It's absolutely insane. |
|
|
| ▲ | ozim 3 days ago | parent | prev [-] |
| Linux distributions packages are also very trust driven — but you have to earn trust to publish. Then there is whole system to verify trust. NPM is more like „everything goes”. |
| |
| ▲ | euLh7SM5HDFY 3 days ago | parent | next [-] | | The sheer volume is the issue. Recent XZ backdoor shows it can happen to everyone. I am pretty sure JS has most packages, updates and contributors - and it makes it the best ecosystem to target. That anemic standard library doesn't help of course, but 2FA and package signing is required for all package repositories, here and now. | |
| ▲ | johnny22 3 days ago | parent | prev [-] | | It woudl'nt have solved this, because this publisher would have been trusted. |
|
