undefined | Better HN

0 pointsschemescape4y ago0 comments

Given that these attacks are becoming increasingly common, package registries could at least install each package (prior to publishing) in some isolated container or VM and then run some similar malware detection on the resulting file system.

Honestly, I'm strongly considering moving away from the NPM ecosystem because it's clearly become a target for malware.

0 comments

10 comments · 3 top-level

thrashh4y ago· 6 in thread

But attackers are not dumb. They would circumvent whether loose checks the package manager may have. Just considering your suggestion, the obvious immediate exploit is to not deploy the attack payload right away. Nothing you will think of will evade defeat.

schemescapeOP4y ago

I agree that it is an unending arms race, but if NPM doesn't even plug obvious holes (like running install scripts by default), then they've lost my trust.

Edit: if anyone knows of a way to disable NPM from running install scripts automatically (without having to remember to specify --ignore-scripts on each invocation), while still allowing me to use "npm run" to manually run scripts (e.g. test scripts for my own packages), I'd love to hear about it.

Ginden4y ago

npm ci --ignore-scripts

1 more reply

matheusmoreira4y ago

> Nothing you will think of will evade defeat.

Trust. Why is it that random people can submit packages? Make it so they can't. Only trustworthy people should be able to do that. People who care, so that we don't have to. People we can trust. This is how Linux distributions work and you just don't see malware randomly making its way into official repositories.

nijave4y ago

You can DIY. There's also plenty of reputation dependency scanners out there (especially in the corporate world) that will look at license, commit rate, number of committers, release frequency, transitive dependencies, etc and generate "safety" score for you

E.g. "This is maintained by a huge network of contributors who contribute to other huge projects" vs "This is a single developer with a couple commits a year"

peteatphylum4y ago

I wish it worked that way. I just peeked into how python packages in debian-based distros work. They are most frequently PyPI packages with some debian wrapping, so we're back at the same problem.

1 more reply

yardstick4y ago

“Don’t let perfect be the enemy of good”

nijave4y ago· 1 in thread

I've seen some talks about implementing this at the programming level but can't remember the specifics. Basically treating dependencies similar to apps on a smartphone where they each run in a namespace or security context and there's control over what data gets passed in and out of the module or package. (In stark contrast to the current model where everything just runs in a global namespace)

tmpfs4y ago

We are working on this here [1].

Uses the object capability model provided by SES [2].

[1] https://github.com/LavaMoat/LavaMoat [2] https://github.com/endojs/endo

qPM9l3XJrF4y ago

Why would malware authors target NPM in particular? Maybe they are targeting lots of package registries, and NPM is just more vigilant?

j / k navigate · click thread line to collapse

0 comments

10 comments · 3 top-level

thrashh4y ago· 6 in thread

schemescapeOP4y ago

I agree that it is an unending arms race, but if NPM doesn't even plug obvious holes (like running install scripts by default), then they've lost my trust.

Ginden4y ago

npm ci --ignore-scripts

1 more reply

matheusmoreira4y ago

> Nothing you will think of will evade defeat.

nijave4y ago

E.g. "This is maintained by a huge network of contributors who contribute to other huge projects" vs "This is a single developer with a couple commits a year"

peteatphylum4y ago

I wish it worked that way. I just peeked into how python packages in debian-based distros work. They are most frequently PyPI packages with some debian wrapping, so we're back at the same problem.

1 more reply

yardstick4y ago

“Don’t let perfect be the enemy of good”

nijave4y ago· 1 in thread

tmpfs4y ago

We are working on this here [1].

Uses the object capability model provided by SES [2].

[1] https://github.com/LavaMoat/LavaMoat [2] https://github.com/endojs/endo

qPM9l3XJrF4y ago

Why would malware authors target NPM in particular? Maybe they are targeting lots of package registries, and NPM is just more vigilant?

j / k navigate · click thread line to collapse