Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
TZubiri a day ago

>npm install playcaptcha

Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack

Terr_ a day ago | parent | next [-]

> npm install

Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"

(Yeah, not as good as completely separate computer, diminishing returns, but still...)

thunderbong a day ago | parent | prev | next [-]

If you see the code, that dependency just happens to be another file in the repository [0]

The only dependency is the 'motion' library.

[0]: https://github.com/mortspace/playcaptcha

TZubiri a day ago | parent [-]

does npm install pull code from that github repo, though? If not, auditing that repo is a huge blunder.

I'm seeing this from npm, which is a bit different:

https://www.npmjs.com/package/playcaptcha

Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.

GuestFAUniverse a day ago | parent | prev [-]

npm install randomgotcha