Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zahlman 4 days ago

Yes, but this is an ecosystem large enough to include people who have that time (and inclination and ability); and once they have reported a problem, everyone is on high alert.

wongarsu 4 days ago | parent [-]

If you steal the cookies from dev machines or steal ssh keys along with a list of recent ssh connections or do any other credential theft there are going to be lots of people left impacted. Yes, lots of people reading tech news or security bulletins is going to check if they were compromised and preemptively revoke those credentials. But that's work, meaning even among those informed there will be many who just assume they weren't impacted. Lots of people/organisations are going to be complacent and leave you with valid credentials

ameliaquining 4 days ago | parent | next [-]

If a dev doesn't happen to run npm install during the period between when the compromised package gets published and when npm yanks it (which for something this high-profile is generally measured in hours, not days), then they aren't going to be impacted. So an attacker's patience won't be rewarded with many valid credentials.

giveita 3 days ago | parent [-]

Dev, or their IDE, agent, etc.

komali2 3 days ago | parent [-]

Their build chain, CI environment, server...

ameliaquining 3 days ago | parent [-]

npm ci wouldn't trigger this, it doesn't pick up newly published package versions. I suppose if you got a PR from Dependabot updating you to the compromised package, and happened to merge it within the window of vulnerability, then you'd get hit, but that will likewise not affect all that many developers. Or if you'd configured Dependabot to automatically merge all updates without review; I'm not sure how common that is.

com2kid 4 days ago | parent | prev [-]

But that is dumb luck. Release an exploit, hope you can then gain further entry into a system at a company that is both high value and doesn't have any basic security practices in place.

That could have netted the attacker something much more valuable, but it is pure hit or miss and it requires more skill and patience for a payoff.

VS blast out some crypto stealing code and grab as many funds as possible before being found out.

> Lots of people/organisations are going to be complacent and leave you with valid credentials

You'd get non-root credentials on lots of dev machines, and likely some non-root credentials on prod machines, and possibly root access to some poorly configured machines.

Two factor is still in place, you only have whatever creds that NPM install was ran with. Plenty of the really high value prod targets may very well be on machines that don't even have publicly routable IPs.

With a large enough blast radius, this may have worked, but it wouldn't be guaranteed.