| ▲ | fraywing 4 hours ago |
| Incredible uptick in supply chain attacks over the last few weeks. I feel like npm specifically needs to up their game on SA of malicious code embedded in public projects. |
|
| ▲ | simulator5g 3 hours ago | parent | next [-] |
| That's the reality of modern war. Many countries are likely planting malware on a wide scale. You can't even really prove where an attack originated from, so uninvolved countries would also be smart to take advantage of the current conflict. Like if you primarily wrote German, you would translate your malware to Chinese, Farsi, English, or Hebrew, and take other steps to make it appear to come from one of those warring countries. Any country who was making a long term plan involving malware would likely do it around this time. |
|
| ▲ | ipnon 3 hours ago | parent | prev [-] |
| NPM is designed to let you run untrusted code on your machine. It will never work. There is no game to step up. It's like asking an ostrich to start flying. |
| |
| ▲ | dcrazy 3 hours ago | parent | next [-] | | It’s far from a complete solution, but to mitigate this specific avenue of supply chain compromise, couldn’t Github/npm issue single-purpose physical hardware tokens and allow projects (or even mandate, for the most popular ones) maintainers use these hardware tokens as a form of 2FA? | | |
| ▲ | yjftsjthsd-h 2 hours ago | parent [-] | | What would a physical token give you that totp doesn't? Edit: wait, did the attacker intercept the totp code as it was entered? Trying to make sense of the thread | | |
| ▲ | dcrazy 2 hours ago | parent [-] | | The attacker installed a RAT on the contributor’s machine, so if they had configured TOTP or saved the recovery codes anywhere on that machine, the attacker could defeat 2FA. | | |
| ▲ | yjftsjthsd-h 16 minutes ago | parent [-] | | Oh, yes, I missed that the TOTP machine was compromised:\ Would that then imply that it would have been okay if codes came from a separate device, eg. a TOTP app on a Palm OS device with zero network connectivity? (Or maybe these days the easiest airgapped option is an old android phone that stays in airplane mode...) |
|
|
| |
| ▲ | lrvick an hour ago | parent | prev [-] | | All maintainers need to do is code signing. This is a solved problem but the NPM team has been actively rejecting optional signing support for over a decade now. Even so maintainers could sign their commits anyway, but most are too lazy to spend a few minutes to prevent themselves from being impersonated. | | |
| ▲ | yawaramin 4 minutes ago | parent [-] | | If the solution is 'maintainers just need to do xyz', then it's not a solution, sorry. It's not scalable and which projects become 'successful' and which maintainers accidentally become critical parts of worldwide codebases, is almost pure chance. You will never be able to get all the maintainers you need to 'just' do xyz. Just like you will never be able to get humans to 'just' stop making mistakes. So you had better start looking for a solution that doesn't rely on humans not making mistakes. |
|
|
