undefined | Better HN

story

0 pointschristophilus5mo ago0 comments

What do you mean? You can drop into bash in a container and run any arbitrary command, so `npm install foo` works just fine. Why would posthog's SDK be a special case?

0 comments

LeifCarrotson5mo ago

I think the issue is more about what else has to go into or be connected to that container. Posthog isn't really useful if it's air-gapped. You're going to give it keys to access all kinds of juicy databases and analytics, and those NPM tokens, AWS/GCP/Azure credentials, and environment variables are exactly what it exfiltrates.

I don't run much on the root OS of my dev machine, basically everything is in a container or VM of some kind, but that's more so that I can reproduce my environment by copying a VMDK than in an effort to limit what the container can do to itself and data it has access to. Yeah, even with root access to a VM guest, an attacker they won't get my password manager, personal credit card, socials, etc. that I only use from the host OS... But they'll get everything that the container contains or has access to, which is often a lot of data!

Lutger5mo ago

You're severely limiting the blast radius. This malware works by exfiltrating secrets during installation, if I understood it correctly. If you would properly containerize your app and limit permissions to what is absolutely required, you could be compromised and still suffer little to no consequences.

Of course, this is not a real defense on its own, its just good practice to limit blast radius, much like not giving everybody admin rights.

rco87865mo ago

> Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

Even a properly containerized app will still have these things, because you need things like environment variables (that contain passwords, api keys, etc) for your app to function.

strbean5mo ago

You could create/run thin proxies for every external service that handle the auth side, and run each in a separate container. Orchestrate everything with docker-compose. Need to connect to cloud services for local development? Have a container with a proxy that transparently handles authentication. Now only that container has the secrets for talking to that service.

That's a lot of work though, and increases the difference between your local dev environment and prod.

amazingman5mo ago

Sure, but only the container is affected and it is always your responsibility to grant as little access as possible to the various credentials you may need to supply that environment. AFAICT with this worm, if you don't supply write-level GitHub credentials to the container (and you shouldn't!) and you install infected packages, the exploit goes no further.

rco87865mo ago

> if you don't supply write-level GitHub credentials to the container (and you shouldn't!)

Really? What if your application needs to write to Github?

rco87865mo ago

Because you need your application code to interact with Posthog's code. But if they're running in separate containers...how are you doing that. Surely you are not writing an api layer for every npm dependency you use.

j / k navigate · click thread line to collapse

0 comments

LeifCarrotson5mo ago

Lutger5mo ago

Of course, this is not a real defense on its own, its just good practice to limit blast radius, much like not giving everybody admin rights.

rco87865mo ago

> Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

Even a properly containerized app will still have these things, because you need things like environment variables (that contain passwords, api keys, etc) for your app to function.

strbean5mo ago

That's a lot of work though, and increases the difference between your local dev environment and prod.

amazingman5mo ago

rco87865mo ago

> if you don't supply write-level GitHub credentials to the container (and you shouldn't!)

Really? What if your application needs to write to Github?

rco87865mo ago

j / k navigate · click thread line to collapse