«GITLAB DISCOVERS WIDESPREAD NPM SUPPLY CHAIN ATTACK»
🟠 [https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/]
Это был, конечно, тяжёлый год для «npm», но этот "призыв Шаи-Хулуда" – одна из самых внезапных и отчасти красивых отссылок к «Dune».
Тот случай, когда смотришь на вирусную гадость и думаешь не "фу, какая вирусная гадость", а "ля, а как прикольно придумано".
Security hot take: When a build tool (NPM/Cargo/Maven/etc) tries to download a known compromised version of a package, the repository should send the build a status code that breaks the build on the client side.
Business process interruptions should not be prioritised ahead of integrity and confidentiality.
Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.
I still however am seeing infected machines posting their private data publicly on GitHub.
Not only that, I can see infected developer's github repos are being defaced in realtime.
These microsoft owned platforms seem to be really struggling with stopping this worm.
Query for defaced repos 👇🏿
https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc
#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity
Well, despite #GitHub & #npm making a big push for mandatory #2FA, the #ShaiHulud / #Sha1Hulud attacks happened anyway.
Grand. #MFA has wasted my time and put me forevermore at risk of being locked out of my own account, and it's all for nothing. 🤬
Could the #cybersecurity #infosec people please come up with an authentication scheme for npm that's actually secure? Your users are programmers and you're running arbitrary code on their boxes. You have a LOT of latitude here. Use your imagination.
so with #sha1hulud v2 around, there's never been a worse time to experiment with #typescript. (which i'm doing now. timing.)
me: "how do i check *all* the dependencies? not just the top level, but recursively through their dependencies as well?"
google results: `npm view ls` will do that for your installed packages :)
...yeah but guess when sha1hulud detonates? in a pre- or post- install script.
so i made this. https://github.com/AdamRGrey/npm-dependencies-flatten
hopefully npm doesn't mind being pinged that much. (and then i manually cross reference with a list of known infected packages; here's one: https://jfrog.com/blog/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected/ )
#pypi on the #sha1hulud situation:
"PyPI has not been exploited, however some PyPI credentials were found exposed in compromised repositories. We've revoked these tokens as a precaution, there's no evidence they have been used maliciously. This post raises awareness about the attack and encourages proactive steps to secure your accounts, especially if you're using build platforms to publish packages to PyPI."
Theo doing a deeper dive into #sha1hulud and points out how central #Github actions are to this fiasco.
I was able to track down 3 out of the remaining 5 affected packages and posted bug reports & security alerts to those developers I located.
Sure would be nice if NPM and GitHub did this automatically.... kinda feel like I've done an awful lot of free labor for Microsoft this week.
https://github.com/datapartyjs/walk-without-rhythm/issues/13
Is NPM still dangerous?
Yes, we're down to five known infected packages still circulating on the Microsoft owned platform.
The following five packages continue to spread the Sha1-Hulud worm with no warning at all on the NPM page nor at download/install time:
hyper-fullfacing 1.0.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
quickswap-ads-list 1.0.33
@seung-ju/react-native-action-sheet 0.2.1
tcsp 2.0.2
Ванючая Слись с Тентаклей
Merospit
nullagent
ARGVMI~1.PIF
AdamRGrey
Mike Williamson
