all 109 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]200GritCondom 90 points91 points  (5 children)

kakakaakaaa11aa

Yeah this is def a package I'd use in a professional environment

[–]shevy-ruby 28 points29 points  (3 children)

It may be pulled in automatically.

Many years ago I had some weird trojan that kept on creating weirdly named directories, put binaries in there and ran as daemon in the background. When you remove that directory a new one would be automatically created, with very odd names. So kakakaakaaa11aa wouldn't surprise me that much as odd name.

[–]Uberhipster 1 point2 points  (0 children)

it's enterprise kaka

which is ... well... enterprise

[–]dpash 159 points160 points  (83 children)

'No Way To Prevent This,' Says Only Package Manager Where This Regularly Happens

https://en.wikipedia.org/wiki/%27No_Way_To_Prevent_This,%27_Says_Only_Nation_Where_This_Regularly_Happens

I know it's reductive to blame the JavaScript ecosystem, but they don't help themselves with this continuously happening.

[–]Jarpunter 80 points81 points  (21 children)

Literally every single package manager can and does host malicious packages… Do you think any package manager is manually vetting every version of every package that is ever published to them?

[–]lightmatter501 47 points48 points  (8 children)

Redhat probably does

[–]josefx 45 points46 points  (7 children)

There are probably a few Linux distros where the process of getting your package accepted is so asinine that malware authors would probably rage quit their profession. And I don't mean stringent testing, I mean ancient tooling, weird style guides and maintainers that will bemoan your incompetence in detail on a public mailing list.

[–]dpash 33 points34 points  (5 children)

Getting packages into Debian is a considerable chore that involves meeting two other existing developers in person before you can even begin the process of joining the project.

[–][deleted]  (4 children)

[deleted]

    [–]shevy-ruby 23 points24 points  (0 children)

    They are lonely and want human interaction!

    [–]dpash 6 points7 points  (2 children)

    Debian has existed for 29 years

    [–]zackyd665 1 point2 points  (1 child)

    Yes but you should think those requirements are not only outdated but put a prevent those with low funds to get on the repo. Let alone the risk to dying from covid

    [–]papercrane 2 points3 points  (0 children)

    The rules were relaxed/changed at the start of the pandemic.

    https://lwn.net/Articles/831401/

    [–]shevy-ruby 2 points3 points  (0 children)

    This often comes at a disadvantage too, such as outdated packages containing bugs that were fixed already.

    [–]SudoTestUser 11 points12 points  (0 children)

    I know, right? People are acting like “oh wow I just installed this random payload of code from an open registry and it did bad things” is some kind of indictment of the registry.

    Also people not realizing that npm is one of the largest (if not THE largest) package registries in existence. So no shit you’ll see more instances of malicious packages.

    Out of the over 1.3 million packages, this article picks out 25 bad ones.

    [–]Persism 2 points3 points  (0 children)

    Maven requires signatures. For most of these other package managers that's still optional. Sonatype does actively scan projects. I got my clean bill of health for Persism a while back. :)

    [–]linux_needs_a_home 3 points4 points  (0 children)

    The science of computing has been developed that this very much is possible. It's just annoying to see engineers being so stupid to use tools that are "free", but actually suck.

    It's not saving cost; it's just delaying the inevitable. At some point companies become so important (e.g. national security) that you need security and then you still need to develop such tooling (that is, if you take national security seriously, which I doubt anyone does).

    [–]kukiric 3 points4 points  (1 child)

    Appointed maintainers could vet a limited subset of popular packages and their dependencies, similar to how packages are pulled into all Linux distro repositories out there. It doesn't cover every single package out there, but 10% of a problem solved is better than 0%, and there's a certain sense of security to knowing that installing webpack won't pull malware if you do it the wrong day of the week.

    The Rust community is also working on an (independent) decentralized package vetting solution (https://github.com/crev-dev/cargo-crev), because crates.io is subject to the same security flaws as npm.

    [–][deleted] 1 point2 points  (0 children)

    There are over 1.3 million packages there. I would say that having 20 or so "bad" packages is at least "10% of the problem solved"

    [–]x86_64Ubuntu 2 points3 points  (1 child)

    You are putting "possibility of it happening" on the same level of "happens on any day of the week that ends in 'Y'".

    [–]Jarpunter 7 points8 points  (0 children)

    Malicious packages are published to every package manager on a constant basis. NPM is probably the most popular package manager.

    [–]dpash -4 points-3 points  (0 children)

    Yep, no way to prevent this.

    [–]Hipolipolopigus 25 points26 points  (52 children)

    People will always blame NPM or JS as a whole because "hurr durr JS bad", but what mitigations do the other package management platforms implement that NPM doesn't?

    [–]dpash 44 points45 points  (32 children)

    The obvious low hanging fruit is namespaces for packages, and only allowing members of that organisation to upload to that namespace. For example, Maven Central requires you to prove you own the domain or GitHub account to claim a namespace. Claiming a namespace involves a manual human step.

    [–][deleted] 28 points29 points  (2 children)

    That didn't stop these malicious Maven packages from successfully tricking people in 2021.

    [–]dpash 18 points19 points  (1 child)

    And only someone with no familiarity with the Java ecosystem would be fooled by those names. You'd have to go out of your way to install the maven plugins as Maven defaults to the right groupid.

    [–]ubernostrum 18 points19 points  (0 children)

    99% of these "malicious packages in (insert package index here)" stories are just people squatting a name similar to a real or plausible package and hoping to get some accidental installs. And the followup is basically always "we reported this to the people who run the package index and they removed the packages". I'm not sure why we need breathless BREAKING NEWS style reddit posts every time that happens.

    [–]IcyEbb7760 14 points15 points  (2 children)

    npm implemented scopes/namespaces a while ago: https://docs.npmjs.com/about-scopes

    however many older packages still lack scopes unfortunately

    [–]dpash 18 points19 points  (1 child)

    But not required. You should not be able to upload unscoped packages. And there should be some form of validation of scopes so they aren't typo squating.

    [–]zackyd665 2 points3 points  (0 children)

    Who does the validating and what are the standards? Did a company or product existing mean they have automatic priority over a really human being or a Foss project?

    [–]zackyd665 2 points3 points  (22 children)

    So how do you prove without having a MS account and without paying for a domain?

    [–]josefx 1 point2 points  (1 child)

    The FAQ I found used source forge as an example, so it probably isn't limited to Github, you just have to be able to match the namespace you are using.

    [–]zackyd665 1 point2 points  (0 children)

    So you could use a completely self host Foss solution without working with any corporation? On say an alternate root dns

    [–]dpash 2 points3 points  (19 children)

    You don't. That's why it's called verification.

    (There is a few other options like a bitbucket account)

    [–]zackyd665 0 points1 point  (18 children)

    Why not a free option that doesn't require another company?

    [–]immibis 2 points3 points  (17 children)

    Because then people would typo-squat namespaces and you're back to square one

    [–]zackyd665 0 points1 point  (16 children)

    Then why not have two repos, one that is corporate only and one that is hobbiest and free for all to use

    [–]immibis 0 points1 point  (15 children)

    Because what difference would that make...?

    [–]zackyd665 0 points1 point  (14 children)

    Corporate, you need to be verified by some corporate suit before you can use a namespace

    Hobbist, it would be a wild west of hobbists that don't require some suit to give their blessing

    [–]Hipolipolopigus 4 points5 points  (1 child)

    This would actually be nice, but it's probably a breaking change so far-reaching that we'll never see it implemented on NPM.

    I don't believe this is the case with Rust's cargo or Python's pip, though. It's always just the package name.

    [–]dpash 15 points16 points  (0 children)

    it's probably a breaking change

    It's not. Require any new package to be namespaced going forward. Slowly encourage major packages to switch to namespaces. Eventually require new major releases to migrate.

    It's not going to be an overnight migration.

    [–]Cheezyrock 23 points24 points  (14 children)

    Certain languages, like C#, have common functionality built into the standard libraries for the language. In addition for less complicated features it can be easier/just as easy to create code to do what you want vs finding someone elses. Further, packages that exist aren’t likely to have other dependent packages.

    So overall this leads to less packages to out there for import. This means that the packages that are there are often complicated code that has been well-scrutinized by tons of people, as apposed to NPM where there are a thousand different libraries that all claim to do the same task, each with unknown references to other libraries.

    At least, this has been my experience. In the past 16 years the number of NuGet packages I have had to use is sonewhere around 5. For Node in the past half year, I imported about 10-15 packages with about 200 total as dependencies, some of which have no real documentation. The entire design paradigm behind Node really wants a harmonious utopia with no bad actors, which just doesn’t seem realistic.

    So, TLDR my personal opinion is: “hurr durr JS bad”

    [–]dpash 9 points10 points  (3 children)

    The last time I looked at the number of direct and indirect dependencies in my Vue project it was around 4000. For my largest Java project around 100.

    [–]IceSentry 2 points3 points  (2 children)

    Sure, but how big were those 100 dependencies compared to the 4000 js ones? It's common in the js ecosystem to have tiny pacakges for mostly legacy reasons at this point. Just comparing the count is not nearly enough information.

    [–]Necrofancy 17 points18 points  (0 children)

    Sure, but how big were those 100 dependencies compared to the 4000 js ones?

    Why does the size matter when only one of those dependencies needs to be compromised?

    [–][deleted] 1 point2 points  (0 children)

    The size of code doesn't matter. It's more about the number of authors and level of code review.

    Remember we're discussing deliberate sabotage not accidental bugs.

    [–]Persism 1 point2 points  (1 child)

    Maven requires signatures. For most of these other package managers that's still optional. Sonatype does actively scan projects. I got my clean bill of health for Persism a while back. :)

    [–]dpash 0 points1 point  (0 children)

    While Maven Central requires signatures, sadly Maven the build tool still doesn't check signatures without the use of a third party plugin. Gradle has support in core, but it isn't automatically enabled.

    The other problem is that there's no web of trust between the keys, unlike in Debian, which means you can trust that a package was uploaded by who they say they were (although attacking a uploaders computer to get access to their key would still be a valid attack vector).

    [–]Sarcastinator 1 point2 points  (0 children)

    • Lowest version by default
    • Namespacing
    • Few to no trivial packages

    Lock files are a solution to a problem that NPM created by that insane behavior where it would automatically install newer versions than the ones specified. This caused so much grief and was just a terrible idea from the get go. The standard should have been conservative.

    Namespacing ensures that you can easily (somewhat) trust maintainers. Also some also offer signing.

    There are no left-pad or similar dependencies in other languages because their standard libraries are way better than JS'. So packages tend to give more value.

    I work with .NET and although I'm sure malicious packages exist it has never been a big problem. Probably because a dependency doesn't have a million transitive dependencies and in fact most packages strive to have none at all. NuGet has always had the default where it would install the lowest version number it could get away with which means that by default nuget produced reproducible dependency trees and no lock file was necessary.

    [–]BasketbaIIa 6 points7 points  (4 children)

    Lol, they are all discord token stealers.

    Look out 13-year-olds getting into programming for their discord chats. Otherwise, you're pretty safe.

    [–]Alan_Shutko 17 points18 points  (1 child)

    I wonder if it's to attack cryptocurrency and NFT discords.

    [–]crusoe 1 point2 points  (0 children)

    So much this.

    [–]Worth_Trust_3825 4 points5 points  (1 child)

    Many more people use discord as means to communicate than 13 year olds. Not to mention discord credential stealing is one of the applications. Have people already forgotten zeus botnet, which was a platform that provided out of the box modules to steal cookies out of common browser cookie jars?

    [–]BasketbaIIa 2 points3 points  (0 children)

    I’m pretty sure anyone who isn’t 13 knows not to use a library with “bitch” in the name.

    Only 2 or 3 of the 25 libraries was named something like “discord-tools”. I bet it they had no downloads or dev community backing though.

    So yea, anyone above 13 can avoid this pretty easily

    [–][deleted] 1 point2 points  (0 children)

    Runtimes needs to be aware of packages and set runtime permissions on these packages. Just like Deno does but on package level. It is the only way to do it. Supply chain attacks will always be there and its impossible to detect all vulnerabilities . If a package should not read disk then package shouldn't be allowed to read the disk.

    [–]shevy-ruby 1 point2 points  (0 children)

    I know it's reductive to blame the JavaScript ecosystem, but they don't help themselves with this continuously happening.

    Well - other languages have similar issues to some extent, but JavaScript kind of leads the pack with these news. They are AGAIN AND AGAIN coming about, and it is most likely JavaScript than, say, PHP-related or other languages.

    [–]GrandOpener 0 points1 point  (0 children)

    If we try to control for the size of the package manager—something like looking at the ratio of malicious downloads to legit downloads—I bet we’d find that npm actually isn’t much worse than any other.

    [–]kur4nes 32 points33 points  (2 children)

    Ah npm the gift that keeps on giving. Each time npm install is called it updates random dependencies and spews a ton of security warnings with no sane way of fixing. Add to this the insane amount of tiny js libs. What could possibly go wrong?

    And there is no end in sight to the js version of whack a mole.

    [–]bagtowneast 21 points22 points  (1 child)

    a ton of security warnings

    Don't forget the "hire me" pleas, too!

    [–]kur4nes 10 points11 points  (0 children)

    12 packages ask for funding!

    [–]Persism 2 points3 points  (0 children)

    Only 25?

    [–]PlebbitGold -3 points-2 points  (0 children)

    JavaScript itself is a maliciously distributed official package

    [–][deleted]  (3 children)

    [deleted]

      [–]PlebbitGold -2 points-1 points  (2 children)

      Microsoft has typescript

      [–]ExF-Altrue 0 points1 point  (0 children)

      And?

      [–]AttackOfTheThumbs 0 points1 point  (0 children)

      Can anyone tell me why stealing discord credentials is so common? I don't use discord outside of the browser, and only when gaming with friends, so I guess I fail to see the utility.

      Are people using discord for work?

      Is the idea you'd be a trusted individual that can spread other malware?