Yeah, easily solved.

Would love to hear your genius solutions right here that Microsoft is too dumb to come up with and implement.

Riverheart 2 days ago | parent | next [-]

Well, from recent experience they could make “npm audit” usable without having to use a third party library like “better npm audit”. There’s no filtering or configuration at all. There are so many unimportant or irrelevant vulnerabilities reported that I have no doubt that people just ignore auditing because they don’t consider the 1000 high severity DoS vulnerabilities they can’t ignore relevant for their CLI app. =/

The tradeoff for security is usability and the worse the usability gets the more people fight back against it.

https://www.npmjs.com/package/better-npm-audit

▲

righthand 2 days ago | parent | prev | next [-]

Hate to tell ya but package signing is not a new problem and they could make it opt-in. There has been a Github issue and merge request submitted to enable it. But they were closed and denied. Malice or incompetence?

Hilarious that you think this is a some sort of impossible feat for a trillion dollar company.

▲

dns_snek 2 days ago | parent | prev [-]

Seriously? This is is extremely low hanging fruit that's not being taken care of. You shouldn't be able to take over a software dependency with a phishing email. Requiring simple PGP code signing or even just passkey authentication would eradicate that entire attack vector.

Future attacks would then require a level access of access that's already synonymous with "game over" for all intents and purposes (e.g. physical access, malware, or inside job). It's not bulletproof but it would be many orders of magnitude better than the current situation.

▲

rs186 2 days ago | parent [-]

As long as you can publish a package in a CI environment (which is essential), none of what you mentioned matters. And that's not even the point.

That phishing email is just one of the ways attackers use to infiltrate, which is not Microsoft's problem to begin with. Next time, the attacker could install malware in your machine that silently runs code and publish a package on your behalf using your own credentials stored locally while you think everything is ok, and you'd still blame Microsoft for not doing enough.

	▲	dns_snek 2 days ago \| parent \| next [-]
		> Next time, the attacker could install malware in your machine I already addressed this in the previous comment but I hope you realize the absurdity of this statement. If the attacker can corner you in a dark alley they can steal your yubikey and beat the PIN out of you, too. By that logic is 2FA futile and should we all stop using it? Security isn't binary, simply raising the bar from falling for a phishing email to gaining access to someone's machine will probably eliminate 99% of all compromises. > and you'd still blame Microsoft for not doing enough Gaining access to someone's machine is definitive "game over" scenario, using that as an excuse not to harden security to the point that that's the only option left is lazy and irresponsible. Even with that kind of access, code signing will slow the viral spread way down which would make a difference. Once you make it hard to hijack packages, time will be better spent on investing in sandboxing which also protects people from insider threats.
	▲	righthand 2 days ago \| parent \| prev [-]
		You should indicate whether or not you work for or somehow are affiliated with Microsoft.