The problem isn't specific to node. NPM is just the most popular repo so the most value for attacks. The same thing could happen on RubyGems, Cargo, or any of the other package managers.

▲

gred 6 hours ago | parent | next [-]

NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

▲

chha 6 hours ago | parent | next [-]

Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.

From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.

NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.

▲

viraptor 6 hours ago | parent | prev | next [-]

There were. They're just not as popular here. For example https://www.sonatype.com/blog/malware-removed-from-maven-cen...

Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4

▲

pimterry 5 hours ago | parent | prev | next [-]

As of 2024, Maven had 1.5 trillion requests annually vs npm's 4.5 trillion - regardless of package count, 3x more downloads in total does make it a very big target (numbers from https://www.sonatype.com/state-of-the-software-supply-chain/...).

▲

skwee357 6 hours ago | parent | prev | next [-]

One speculation would be is that most Java apps in the wild use way older Java versions (say 17/11, while the latest will LTS is 21).

▲

AndroTux 6 hours ago | parent | prev | next [-]

Okay then, explain to me why this is only possible with NPM? Does it have a hidden "pwn" button that I don't know about?

	▲	liveoneggs 5 hours ago \| parent \| next [-]
		https://docs.npmjs.com/cli/v8/using-npm/scripts
	▲	tonyedgecombe 5 hours ago \| parent \| prev \| next [-]
		>Does it have a hidden "pwn" button that I don't know about? Perhaps its package owners do.
	▲	deafpolygon 6 hours ago \| parent \| prev [-]
		NPM executes packages as you download them.

▲

master-lincoln 6 hours ago | parent | prev | next [-]

No. Having many packages might not be the only reason to start an attack. This post shows it is/was possible in the Maven ecosystem: https://blog.oversecured.com/Introducing-MavenGate-a-supply-...

▲

throwawayffffas 6 hours ago | parent | prev [-]

Hoe many daily downloads does Maven have?

▲

vintagedave 7 hours ago | parent | prev | next [-]

The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

▲

cluckindan 7 hours ago | parent | next [-]

Just use dependency cooldown. It will mitigate a lot of risk.

▲

yoavm 6 hours ago | parent [-]

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

	▲	flexd 6 hours ago \| parent \| next [-]
		no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions old edit: but if that's also compromised earlier... \o/
	▲	cluckindan 6 hours ago \| parent \| prev [-]
		Obviously you bypass the cooldown to fix critical issues.

▲

Ygg2 7 hours ago | parent | prev [-]

NPM is the largest possible target for such an attack.

Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.

▲

PunchyHamster 3 hours ago | parent | prev [-]

Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.