One of the most popular JavaScript packages on earth Axios has been compromised
The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever
💥 https://opensourcemalware.com/blog/axios-compromised
#javascript #axios #webdev #npm #js #dev #compression #softwareattribution #web #webdev #successful #attack #plaincryptojs #malware
when i tried nodejs for the first time, i needed ONE lib and it downloaded 200+ packages
that's when knew this system is total fubar and i terminated my nodjs career immediately
Typosquatting or packages with name similarities infected Python and Ruby some years ago. Ugly, but fixable.
NPM is controlled by Microslop via Gitslop.
Feels like "arbitrary code execution" is the fundamental vulnerability attacked in many systems. I wonder how much longer that'll continue to be a feature. I wonder if post-install hooks running arbitrary scripts could be strangler-fig replaced by more-limited "vocabularies" of actions to be taken. The xz attack was the same, right? And there was another one a week or two ago that I've already forgotten. And email viruses from ancient times relied on the same "feature".
@tarheel @kubikpixel @Meyerweb excess authority is the real killer. If we used the principal of least authority routinely, arbitrary code execution would not be such a problem
Ɲєιƚ Ƃιɍƌ 凤
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕
𝗣𝗠𝗝 ⚫
Thomas Fricke (he/his)
John Lusk
Dan Connolly