undefined | Better HN

0 pointsnukeop8y ago0 comments

That's okay, but it's not enough - it's easy to swap two letters and do similar substitutions to fool many users. If a package is downloaded 10,000 times every day, surely once in a while someone will misspell the name somehow.

Other than that, their reaction to similar incidents was to wait for somebdoy on twitter to notify them, ban the responsible users, and hope that it won't happen again. It's still extremely exploitable and there are surely many other novel ways of installing malware using the repository that we haven't even heard of yet. The NPM security team is slow to act and sadly doesn't think ahead. They're responsible for one of the largest software ecosystems in the world, they should step up their game.

0 comments

3 comments · 2 top-level

eropple8y ago· 1 in thread

Yup. The best answer I can come up with given their constraints (some self-imposed) is to force all new packages to be scoped.

johnny228y ago

how many typosquats on scope names will there be I wonder.

Rapzid8y ago

They could(should?) implement edit distance checks on all new packages against existing packages. If the name is too similar to an existing package name it requires approval.

j / k navigate · click thread line to collapse