Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
TZubiri 12 hours ago

Not all the npm packages, but always an npm package

cyanydeez 11 hours ago | parent [-]

While you think this is a producer problem, it's simply a userland market.

Just like in the 90s when viruses primarily went to windows, it' wasn't some magical property of windows, it was the market of users available.

Also, following this logic, it then becomes survivorship bias, in that the more attacks they get, the more researchers spend time looking & documenting.

elwebmaster 6 hours ago | parent | next [-]

While it can happen to anyone npm does preselect the users most likely to unknowingly amplify such an attack. Just today I was working on a simple JS script while disconnected from the Internet, Qwen Coder suggested I “npm install glob” which I couldn’t because there was no internet, so I asked for an alternative and sure enough the alternative solution was two lines of vanilla JS. This is just one example but it is the modus operandi of the NPM ecosystem.

KevinMS 8 hours ago | parent | prev | next [-]

> it' wasn't some magical property of windows

no, it really was windows

foobiekr 6 hours ago | parent [-]

It really wasn't. MacOS classic was full of vulnerabilities as was OS/2 and Linux up through 2004. Windows dominated because it was the biggest ecosystem.

ndsipa_pomu 18 minutes ago | parent | next [-]

What made Windows easy to exploit was that it enabled a bunch of network services by default. I don't know about MacOS, but Linux disabled network services by default and generally had a better grasp of network security such as requiring authentication for services (e.g. compare telnet and ssh).

Also, Windows had the ridiculous default of immediately running things when a user put in a CD or USB stick - that behaviour led to many infections and is obviously a stupid default option.

I'm not even going to mention the old Windows design of everyone running with admin privileges on their desktop.

elwebmaster 6 hours ago | parent | prev [-]

And had the highest proportion of ignorant users.

TZubiri 10 hours ago | parent | prev [-]

right, npm users. The extreme demand for simple packages and the absent consideration creates an opportunity for attackers to insert "free" solutions. The problem are the 'npm install' happy developers no doubt.