Pelle Wessman2d ago
Socket

🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week.

Multiple high-impact maintainers have all confirmed they were targeted in the same coordinated social engineering campaign that compromised Axios.

https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers

Attackers Are Hunting High-Impact Node.js Maintainers in a C...

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

Socket
Apr 3 at 8:13pmWeb
Show threadMarsup2d ago
@SocketSecurity Ohhhhh, that was it! I was targeted as well (probably for hapi and/or joi), found it quite rude to recruit like that, so I didn't even bother 😂 Thanks for the investigation, that's super helpful as always 🙏
Show threadSocket2d ago
@marsup Glad you weren't snared by it! Stay safe!
Show threadHumbird0 Fandom2d ago

@SocketSecurity
So we either turn off automatic updates and forgo security patches, or we read every single line of code before we run it.

Unfortunately not everybody is a programmer.

Show threadnyanbinary1d ago

@humbird0 @SocketSecurity the approach we are currently going for is quarantining new packages for a time (by way of our artifact manager, exact number of hours/days still being discussed/tuned), with manual overrides in the case of critical vulnerabilities. Fortunately most of the "big" packages getting taken over also get spotted pretty quickly (~hours) so this doesnt require a too long quarantine, but requires stringent/enforced use of the artifact manager...

This, to be fair, kinda offloads the responsibility for actually checking to third parties which I am not very happy with but its mostly functional.

Show threadck1d ago
@humbird0 @SocketSecurity
To be fair, it was always like this. The promise of open source was that it was safe because people could (and would) read and audit one another's code, and we would derive trust from that. It used to work because for a long while, there was much less code to read and worry about and the community was a tightly knit bunch of enthusiasts. Nowadays, we have an unmanageable influx of code maintained by a single, burned out maintainer, which is impossible to keep up with.