Cybersecurity

9624 readers

90 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Self-spreading npm malware targets developers in new supply chain attack - Help Net Security (www.helpnetsecurity.com)

submitted 2 days ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

4 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] ageedizzle@piefed.ca 1 points 2 days ago (2 children)

Is npm inherently more insecure than other package managers (like yarn, or even package managers for other languages like pip or whatever) or do I just happen to hear about npm vulnerabilities more?

[–] Sv443@sh.itjust.works 1 points 1 day ago

JavaScript is the most popular language and runs not just websites that handle private credentials but also on the desktop via frameworks like Electron or Tauri, and npm happens to be the biggest package registry for JavaScript.
So it is just one of the most lucrative targets for bad actors, since you get the benefit of infecting end users, developers, companies, websites, servers, and more in just one good hack.
Also up until very recently the most popular JS framework Node didn't have permission controls, meaning any installed library had the same privileges as the user running the program.

[–] angelmountain@lemy.nl 4 points 2 days ago (1 children)

This article talks about "typosquating", that just means they introduced packages with a similar name to other packages but in this case also containing malicious code.

I expect other package managers to be just as vulnerable to this. The only way I can think of to mitigate this is very strict registry policies, someone checking all version of all packages in the registry to make sure there is no malicious code in them. That would take a lot of effort.

I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.

I don't believe yarn is any more secure than npm, especially not for this type of attack. Yarn used to be a bit more secure because it checked checksums where npm didn't, but that has been added to npm as well now (https://sebhastian.com/npm-err-code-eintegrity/)

[–] ageedizzle@piefed.ca 2 points 2 days ago

I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.

I guess that makes sense. For peak security I guess its best to use a niche programming languages to avoid that kind of thing