Show HN: npm install actual-malware (opens in new tab)

(github.com)

55 pointslhmiles4y ago13 comments

Our package registry ecosystem has a serious problem... and not just npm.

People are aware of this but maybe this will make them a bit more aware

13 comments

12 comments · 6 top-level

ivraatiems4y ago· 3 in thread

This is a clever way to raise important issues in security of package managers, but I can't find support for your claim that NPM doesn't let you report malware. A cursory google search brought me this: https://docs.npmjs.com/reporting-malware-in-an-npm-package

And I confirmed that that button is indeed available on packages with a link that goes to eg https://www.npmjs.com/support?inquire=security&security-inqu...

What functionality was removed?

lhmilesOP4y ago

When I went to report vulnerabilities in two packages, I got a prompt "are you the maintainer of this package?". I hit no and it told me to go inform the maintainer.

ivraatiems4y ago

I'm not sure what to tell you. I submitted a report against your package and it went through and a security ticket was opened.

Could you post some screenshots of what you are seeing?

1 more reply

1023bytes4y ago

I'm also seeing a "Report malware" button directly on the package page

cookiengineer4y ago· 2 in thread

This is why it's important to use containers for development - or at least SELinux on your development host machine.

Simply restrict file access of npm to its cache folders, so it cannot access your other user configuration files.

Use additionally a host firewall like opensnitch to block npm from any other host than npmjs.com.

linkdd4y ago

This should be the default.

On Linux, packages should provide the SELiunx (or whatever) rules they need, and the user should accept them or not install the package (just like permissions on Android/iOS apps).

On Windows, the application could be sandboxed to its folder in `Program Files` and `%APPDATA%`.

Being secure by default should be the norm. When its not, you can tell users "you should do this" all you want, they won't do it.

cookiengineer4y ago

Completely agree with you, selinux would be much much nicer if configuration and setup would be easier and streamlined with downstream packages. The current "GUI" is basically a configuration editor that nobody understands. Maybe it's time to improve it?

kjok4y ago· 1 in thread

> Can't this be detected? Not really.

Contrary to OP belief, there are tools that claim to detect such malicious packages. I wonder how effective they are.

varunsharma074y ago

Here is one such tool for GitHub Actions: https://github.com/step-security/harden-runner. It would have detected and blocked the call to pastebin.com in this scenario. I am the maintainer of this tool.

GekkePrutser4y ago

Yep I've been trying to get our company to pay more attention to it. It's not just nodejs. All the new hipster languages pull in whatever they can grab. Python, golang, Ruby..

A lot of this stuff is submitted by random people that have no verified credibility. It's really worrying. I'm sure it'll take another major incident though before we'll really pay attention to it. Like wanna cry/notpetya did for SMBv1. Because the devs don't want any mitigations, it'll make their work more difficult.

jve4y ago

> Put passphrases on all your private keys. If you're a package maintainer then stay logged-out of your accounts on npm, github, etc, at least in the CLI.

Doesn't help when burglar is already in your house.

zeroimpl4y ago

I get npm, but is it that realistic that yum will pull down a virus? If yum could be infected, then you are either pulling down obscure packages or using a 3rd party repository. If a mainstream package could get infected, it’s just as likely to end up in the base image that you started with (ISO, docker container, etc).

j / k navigate · click thread line to collapse