- singulasar parentLet's hope the defunding of medical research can stop so this can become true
- The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later.
The dev later said that Charlie notifying him probably shaved off some very important time for the remediation.
So in this case 2 different companies found it using automated tech before anyone else
- Hmm, sure, I can agree that the position is extremist, I still don't agree that 1 (or some) extremist positions makes the current people in power extremist. Or at least, maybe they are, but I think most of the alternatives are more extremist.
It's definitely a disgusting horrible proposal.
- Not really, app sec companies scan npm constantly for updated packages to check for malware. Many attacks get caught that way. e.g. the debug + chalk supply chain attack was caught like this: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...
- Again, I disagree, I wouldn't call it extremist. It's vile and wrong, but people all over the political spectrum are in favour of this. there's a difference between something being bad or self-serving, and something being extremist. Labelling everything as extremist does not help anyone, especially today when everyone is already highly divided.
No way I'm getting into the restrict state powers discussion as that is highly complex and not something that can properly be discussed on an internet forum.
- There's multiple security firms by now that constantly scan updated npm packages for malware. Obviously those companies can only do this after a new package has been published.
Npm could add this as an automated step during publishing. Sure, there's a manual review needed for anything flagged, but you can easily fix this as well by having smth like a trusted contributor program where let's say you'd need 5 votes to overrule a package being flagged as malware
- or maybe let's not?
their actions are clearly not extremist, absolutely not perfect and not always equally democratic, but not extremist or violent like the actual extremists...
- on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.
MS doesn't care
- Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.
The easiest way for you to use our product to be protected is actually using one of our free open source tools. https://www.npmjs.com/package/@aikidosec/safe-chain
This is a wrapper around npm etc that will prevent you from installing malware
- I'm so sick of people saying this. If you use js for any non-tiny project, you'll have a bunch of packages. Due to how modules work in js, you'll have many, many sub dependencies.
Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions.
If you have time to review every package, every time it updates, you might as well just write it yourself.
Yes, this is a problem, no reviewing every dependency is not the damn solution
- unphishable 2fa would have prevented this specific case tho... what are you talking about?
- the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain
- I think it's quite good, there's a sense of urgency, but it's also not "immediately change it!" they gave more than a day, and stated that it would be a temporary lock. Feel like this one really hit the spot on that aspect.
You should still never click a link in an email like this, but the urgency factor is well done here