Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dist-epoch 6 hours ago

It's just where the users and the juicy targets are.

NPM packages are used by huge Electron apps like Discord, Slack, VS Code, the holy grail would be to somehow slip something inside them.

LeifCarrotson 5 hours ago | parent | next [-]

It's both that and a culture of installing a myriad of constantly-updating, tiny libraries to do basic utility functions. (Not even libraries, they're more like individual pages in individual books).

In our line-of-business .NET app, we have a logger, a database, a unit tester, and a driver for some specialty hardware. We upgrade to the latest version of each external dependency about once per year (every major version) to avoid accruing tech debt. They're all pinned and locally hosted, nuget exists but we (like most .Net developers) don't use it to the extent that npm devs do. We read the changelogs - all four of them! - and manually update.

I understand that the NPM ecosystem works differently from a "batteries included" .Net environment for a desktop app, but it's not just about where the users are. Line of business code in .Net and Java apps process a lot of important data. Slipping a malicious package into pypi could expose all kinds of juicy, proprietary data, but again, it's less about the existence of a package manager and more about when and how you use it.

dist-epoch 3 hours ago | parent [-]

> Slipping a malicious package into pypi could expose all kinds of juicy, proprietary data

> In July 2024, Bittensor users were the victims of an $8 million hack. The Bittensor hack was an example of a supply chain hack using PyPI. PyPI is a site that hosts packages for the Python programming language

https://www.halborn.com/blog/post/explained-the-bittensor-ha...

guidedlight 6 hours ago | parent | prev | next [-]

We don't see these attacks nearly as severe or frequent on Maven, which is a much older package management solution. Maven users would be far more attractive targets given corporates extensively run Java.

mr_toad 5 hours ago | parent [-]

Number of packages doesn’t mean much. If you can get your code into just one Javascript package you could have it run on billions of browsers. With Java it’s hard to get the same distribution (although the log4j vulnerability shows it’s not entirely impossible).

ehnto 6 hours ago | parent | prev | next [-]

It is also, in my humble but informed opinion, where you will find the least security concious programs, just because of the breadth of it's use and myriad of deployments.

It's the new pragmatic choice for web apps and so it's everyone is using it, from battle hardened teams to total noobs to people who just don't give a shit. It reminds me of Wordpress from 10 years ago, when it was the goto platform for cheap new websites.

anthk 6 hours ago | parent | prev | next [-]

Every NPM turd should be run with bubblewrap or a similar sandbox toolkit at least.

gchamonlive 5 hours ago | parent | prev [-]

So do you expect other supply chain services that also supply juicy targets to be affected? I mean, we live in a bubble here in HN, so not seeing something in the front page doesn't mean it doesn't exist or it doesn't happen, but the feeling is that NPM is particularly more vulnerable than other services, correct me if I'm wrong.