undefined | Better HN

0 pointsembedding-shape4mo ago0 comments

> NPM is too insecure for production CLI usage.

NPM was never "too insecure" and remains not "too insecure" today.

This is not an issue with npm, JavaScript, NodeJS, the NodeJS foundation or anything else but the consumer of these libraries pulling in code from 3rd parties and pushing it to production environments without a single review. How this still fly today, and have been since the inception of public "easy to publish" repositories remains a mystery to me even today.

If you're maintaining a platform like Zapier, which gets hacked because none of your software engineers actually review the code that ends up in your production environment (yes, that includes 3rd party dependencies, no matter where they come from), I'm not sure you even have any business writing software.

The internet been a hostile place for so long, that most of us "web masters" are used to it today. Yet it seems developers of all ages fall into the "what's the worst that can happen?" trap when pulling in either one dependency with 10K LoC without any review, or 1000s of dependencies with 10 lines each.

Until you fix your processes and workflows, this will continue to happen, even if you use pnpm. You NEED to be responsible for the code you ship, regardless of who wrote it.

0 comments

jkrems4mo ago

They didn't deploy the code. That's not how this exploit works. They _downloaded_ the code to their machine. And npm's behavior is to implicitly run arbitrary code as part of the download - including, in this case, a script to harvest credentials and propagate the worm. That part has everything to do with npm behavior and nothing to do with how much anybody reviewed 3P deps. For all we know they downloaded the new version of the affected package to review it!

Ajedi324mo ago

If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time? Who manually reviews new versions of their project dependencies after installing them but before running them?

GP is correct. This is a workflow issue. Without a review process for dependencies, literally every package manager I know of is vulnerable to this. (Yes, even Maven.)

zahlman4mo ago

> If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time?

Many such forms of malware have already been published and detected.

> Who manually reviews new versions of their project dependencies after installing them but before running them?

One person putting in this effort can protect everyone thereafter.

The PyPI website has a "Report project as malware" button on each project page for this purpose.

But yes, this is the world we live in. Without this particular form of insecurity, there is no "ecosystem" at all.

locallost4mo ago

Thank you.

bpavuk4mo ago

wait, I short-circuited here. wasn't the very concept of "libraries" created to *not* have to think about what exactly the code does?

imagine reviewing every React update. yes, some do that (Obsidian claims to review every dependency, whether new or an update), but that's due to flaws of the ecosystem.

take a look at Maven Central. it's harder to get into, but that's the price of security. you have to verify the namespace so that no one will publish under e.g. `io.gitlab.bpavuk.` namespace unless they have access to the `bpavuk` GitLab group or user, or `org.jetbrains.` unless they prove the ownership of the jetbrains.com domain.

Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

tadfisher4mo ago

> Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

That in itself is scary because Git refs are mutable. Even with compromised credentials, no one can replace artifacts already deployed to Maven Central, because they simply don't allow it. There is nothing stopping someone from replacing a Git tag with one that points to compromised code.

The surface area is smaller because Go does locking via go.sum, but I could certainly see a tired developer regenerating it over the most strenuous of on-screen objections from the go CLI.

fpoling4mo ago

Go also includes a database of known package hashes so altering git tag to point to another commit will be detected.

JodieBenitez4mo ago

I don't know if it's a common or even a good practice, but I like to go mod vendor and add the result to my repo.

1 more reply

tapete23mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

Let's say you need a FFT implementation. You can write that from scratch, or you can use a library. In both cases you should use tests to verify that the code calculates the FFT correctly, and in the library case you should read the code to make sure that it works correctly and does not omit and edge cases (e.g.).

zahlman4mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

If you care about security, you only have to care once, during the audit. And you can find a pretty high percentage of malware in practice without actually having a detailed understanding of the non-malicious workings of the code.

Libraries allow you to not think about what the code does at development time, which in general is much more significant than audit time. Also, importantly, they allow you not to have to design and write that part of the code.

Ajedi324mo ago

Are GitHub creds any harder for malware to steal than NPM creds? I don't see how that helps at all.

bpavuk3mo ago

well, if you talk about private SSH keys for Git operations and SSH/GPG keys for signing, then you'd better set up a passphrase on them, which GitHub strongly recommends. the passphrase will make it significantly harder to use the keys. so, as usual, It Depends (c)

jama2114mo ago

“Personally, I never wear a seatbelt because all drivers on the road should just follow the road rules instead and drive carefully.”

I don’t control all the drivers on the road, and a company can’t magically turn all employees into perfect developers. Get off your high horse and accept practical solutions.

embedding-shapeOP4mo ago

> and a company can’t magically turn all employees into perfect developers

Sure, agree, that's why professionals have processes and workflows, everyone working together to build the greatest stuff you can.

But when not a single person in the entire company reviews the code that gets deployed and run by users, you have to start asking what kind of culture the company has, it's borderline irresponsible I'd say.

jama2114mo ago

Or they have different priority structures where this isn’t the developers job. Also things get missed sometimes no matter how good your processes are. But improving those processes could involve something like avoiding npm over pnpm.

j / k navigate · click thread line to collapse

0 comments

jkrems4mo ago

Ajedi324mo ago

GP is correct. This is a workflow issue. Without a review process for dependencies, literally every package manager I know of is vulnerable to this. (Yes, even Maven.)

zahlman4mo ago

> If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time?

Many such forms of malware have already been published and detected.

> Who manually reviews new versions of their project dependencies after installing them but before running them?

One person putting in this effort can protect everyone thereafter.

The PyPI website has a "Report project as malware" button on each project page for this purpose.

But yes, this is the world we live in. Without this particular form of insecurity, there is no "ecosystem" at all.

locallost4mo ago

Thank you.

bpavuk4mo ago

wait, I short-circuited here. wasn't the very concept of "libraries" created to *not* have to think about what exactly the code does?

imagine reviewing every React update. yes, some do that (Obsidian claims to review every dependency, whether new or an update), but that's due to flaws of the ecosystem.

Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

tadfisher4mo ago

> Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

The surface area is smaller because Go does locking via go.sum, but I could certainly see a tired developer regenerating it over the most strenuous of on-screen objections from the go CLI.

fpoling4mo ago

Go also includes a database of known package hashes so altering git tag to point to another commit will be detected.

JodieBenitez4mo ago

I don't know if it's a common or even a good practice, but I like to go mod vendor and add the result to my repo.

1 more reply

tapete23mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

zahlman4mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

Ajedi324mo ago

Are GitHub creds any harder for malware to steal than NPM creds? I don't see how that helps at all.

bpavuk3mo ago

jama2114mo ago

“Personally, I never wear a seatbelt because all drivers on the road should just follow the road rules instead and drive carefully.”

I don’t control all the drivers on the road, and a company can’t magically turn all employees into perfect developers. Get off your high horse and accept practical solutions.

embedding-shapeOP4mo ago

> and a company can’t magically turn all employees into perfect developers

Sure, agree, that's why professionals have processes and workflows, everyone working together to build the greatest stuff you can.

jama2114mo ago

j / k navigate · click thread line to collapse