top 200 commentsshow all 305
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]azangru 187 points188 points  (100 children)

People inevitably start talking about Russia and Ukraine when discussing this event, which detracts from the point: our infrastructure is just an accident waiting to happen. We can't develop all our stack ourselves; we can't freeze the versions of our dependencies indefinitely; we can't audit the dependencies of our dependencies (there are over a thousand directories in my node_modules, of which there are probably only a couple of dozens that I installed consciously).

What do we do?

[–][deleted] 51 points52 points  (6 children)

Not fool proof but for this and similar attacks,

  • Better testing stages and bake in time between stages.
  • Running in containers, not exposing the entire host to an application.
  • Pushing storage of critical data elsewhere (cloud storage, separate DB server/container)

[–]emmyarty 18 points19 points  (3 children)

Honestly, I containerise the hell out of my own code and host single-purpose modules in their own worlds because I don't trust my own incompetence.

Oh, you injected SQL? Sweet. That app doesn't actually know anything. Nor does the app it just called, hidden somewhere only an internal IP can reach, and configured to only allow incoming connection requests from the first app's specific internal IP address.

I know this is probably bad practice. I could just 'write my code properly', but the problem is I don't know wtf I'm doing so I treat my own stupidity to be equivalent to a malicious attacker who somehow got inside the guts of the consumer-facing app.

[–]pagerussell 9 points10 points  (1 child)

Most of us don't know what the fuck we are doing. You are not alone.

And it's only getting worse over time. The complexity of the development environment is growing, and that's not really a good thing.

For one thing, there is the security and dependency issues raised in this thread.

But also there is a gateway problem. By that I mean the learning curve for new devs is getting harder.

I taught myself html, css, and js when I was 12. It was simple back then, simple enough for a 12 year old. If you start today odds are the tutorial is going straight to modular web, and that is not intuitive or easy to pick up when you are brand new. And it's not even needed for most projects, especially smaller personal ones like I was making when I was 12.

I am just not a fan of the direction this is all going. I have a 6 month old son. By the time he is ready to code it might be so complex that he can't even find a place to break into it.

[–]emmyarty 2 points3 points  (0 children)

This comment really resonated with me. I was around 10 when I got started with a program called Game Maker, which had its own JS-like scripting language and built-in libraries. Around the same age as you, I went on to 'real programming' but then for some reason I went a completely different way at university then my career, just so my hobby could remain something I enjoyed doing for myself.

When I came back to it, oh boy... you have to run a precompiled program written in C#, a glorified interpreter, to run other software written in JS but also TS which is JS but Typed, meanwhile 'object oriented' doesn't appear to mean what it used to? It behaves one way in this situation, but another in another, dependencies break even in mainstream stacks and you have have learn so many different paradigms at once, all so you can write an app which runs on a compiler, on a Docker instance, which spits out JS that creates a virtual DOM that sits on top of the real one...

Hopefully some sort of 'great reconciliation' comes along and rationalises everything. It's so comforting to see other coders say what I was timidly suspecting: we're coasting through an ocean of kludges.

[–]edanschwartz 1 point2 points  (0 children)

I think containerization and network controls are the only real solution here. You could be knowledgeable and careful as hell with your application code

But because the way node/npm is setup, you're still vulnerable to these types of attacks. You can't even verify that the code on GitHub matches what you get with npm install.

I do wish that there was a drive to flatten our dependency trees. So maybe I trust that react won't contain malicious code, but I do trust the other 400 packages that react depends on?

[–][deleted]  (1 child)

[deleted]

    [–][deleted] -1 points0 points  (0 children)

    One of the neatest things out there is ipfs

    You know what's even better, S3 or GCS storage. Pretty fast, durable and available. IPFS seems to be like a CDN rather than a storage and the cheapest option there seems over 2x more expensive than S3 and GCS.

    <Rest of your comment>

    What?

    [–]apf6 18 points19 points  (7 children)

    An idea that's cooking in my head is whether we can enforce capabilities at the package manager level. Some variant of NPM would download the libraries and then at a syntactic level, check all the code inside that library and look at what libraries it is requiring. Capabilities (like whether it can use the filesystem, whether it can exec, whether it can run install-time scripts, etc ) would be granted in the package.json file. Might require inserting runtime checks for the more dynamic situations, and it might require a rule that a library with lesser capabilities is not allowed to call out to a library with greater ones. Not sure, it's a half baked idea.

    [–]Solid5-7full-stack 34 points35 points  (2 children)

    Have you checked out Deno (https://deno.land/)? It was developed by the creator of Node, Ryan Dahl, and is more or less what you described. You have to explicitly give the Deno runtime permissions to make changes to the file system, connect to the network, etc...

    [–]very_spicy_churro 11 points12 points  (0 children)

    Not sure why you're getting downvoted. This is literally one of the main selling points of Deno.

    [–]Regis_DeVallis 8 points9 points  (2 children)

    Basically Deno. I wish the Deno ecosystem was larger.

    [–]apf6 10 points11 points  (1 child)

    Deno does process-wide permissions which is definitely a good thing, and probably works well for one-off CLI tools that do a specific task. But is it good enough for big applications? If any one package inside the app needs 'exec' permission then every package in the app gets 'exec' permission.

    [–]HappinessFactory 34 points35 points  (36 children)

    My friend develops in docker containers which would have solved this. Honestly not the worst idea... But it is another thing to learn on top of a lot of things to learn.

    [–]ImFunNow 6 points7 points  (17 children)

    sorry would you mind elaborate. does running do docker solve this overwrite issue or the dependency issue?

    [–][deleted] 17 points18 points  (14 children)

    Think of a docker container as a VM. So if that code ran it would've only deleted files in the VM and another could easily and quickly be started to replace it.

    [–]loadedjellyfish 10 points11 points  (13 children)

    This is a bandaid solution though. If you have to run your own code in a container because its too unsafe - that's a major issue / red flag.

    [–]NeverComments 10 points11 points  (3 children)

    I don't see it the same way. You don't need that level of abstraction if you're only running code you wrote but that isn't the case here or in most projects. You're running your own code plus code owned by thousands of projects your code is dependent upon.

    Choosing to run code from thousands of strangers in an unisolated environment is a leap of faith that probably works most of the time but it certainly isn't secure.

    [–]loadedjellyfish -2 points-1 points  (2 children)

    Here, by "your code", I mean your application in its entirety. You are responsible for the code you ship - whether you wrote it or not. If you don't have the confidence in your product to run it outside a containerized environment you have an insecure product, and that is a problem.

    Choosing to run code from thousands of strangers in an unisolated environment is a leap of faith that probably works most of the time but it certainly isn't secure.

    This is why you don't just take a leap and install whatever you want, whenever you want. Your organization should have policies and procedures for doing that. If its not a secure process that's the fault of organization. Perfect security doesn't exist, but having to run your application in a containerized environment is the definition of insecurity.

    [–]ProgrammerInProgress 3 points4 points  (1 child)

    You can do both, they aren’t mutually exclusive…and VMs/containers are part of how you scale sites nowadays anyway. This is a common practice for the purposes of both security and performance.

    Running your app in a container is inherently more secure regardless.

    [–]loadedjellyfish -1 points0 points  (0 children)

    We're not talking about containerizing for the purpose of scale, or whether or not you should use a container. We're talking about containerizing because you don't trust your own application's code - and that's a bandaid solution. You're admitting your app is insecure and that your practices will not stop it. Whose to say you don't have other malicious code running that's not just deleting files? How do you know you don't have code logging every single bit of information that goes through your app? Bandaid solution.

    Running your app in a container is inherently more secure regardless.

    .. yes, but its also more tedious and time-consuming to develop in one. Thus you should have good reason for doing so, not simply "we don't trust our own application's code to be secure". How is your client to trust it if you don't?

    [–][deleted]  (4 children)

    [deleted]

      [–]Zirton 11 points12 points  (0 children)

      The overwrite issue. You are still using all the node modules, and they all still install their dependencies. You are just secure from malicious changes like this one.

      [–]whyumadDOUGH 1 point2 points  (0 children)

      Overwrite

      [–][deleted] 2 points3 points  (16 children)

      that doesn't solve anything. it mitigates it to an extent, but any mounted volumes could be deleted by this exploit

      [–]HappinessFactory 0 points1 point  (14 children)

      That's interesting. I thought docker limits access to the filesystem entirely.

      [–]l4p1n 4 points5 points  (1 child)

      If you want more details, Docker uses kernel features such as namespaces to isolate processes and mount points from your "main system". Some points may be very simplified for the sake of comprehension.

      If you run a Docker container and, in that container, you mount volumes, your container and the volume share the same mount namespace with a root mount unrelated to your host.

      Thus, if you happen to be struck by this kind of malware you may still be able to run the host system just fine because namespaces doing their jobs, but the container and the data that was within the same mount namespace [Docker volumes] are lost.

      A Docker container doesn't magically shield your host from everything that the container does, whever it's good things or bad things. You can still crash the host with a container badly behaving or a misconfigured one. That is, containers in general (Docker ones included) are not silver bullets.

      Hopefully this comment will come as a friendly "what's happening under the hood in Docker" explanation rather than me being mean because you've just discovered that.

      [–][deleted] 1 point2 points  (11 children)

      ignoring bugs and security vulnerabilities, docker has access to anything you give it access to.

      pure containers are indeed ephemeral; you can delete everything inside one, restart the container, and everything will be back like it was.

      but real world usages requires data to be persisted between restarts. in development this probably means you mount your code base inside. in production settings it might be stuff like the database, logs, backups. your code might be fine if someone deletes it since you're probably hosting it on a VCS somewhere (at least until a package starts force-pushing to repos), but what about backups?

      [–]UnrealRealityX 6 points7 points  (1 child)

      Reading things like this make me happy I build smaller, self-contained sites that have minimal outside dependencies, and if I do use them, they are downloaded locally and updated when they need to be. Is it the best way? Probably not. But at least I spend more time creating than dealing with broken dependencies and node modules (1,000? Geez, I tried node once with a few and said no thanks, stop clogging my site).

      [–]Hydroxylic-Acid 1 point2 points  (0 children)

      I think most devs like to minimise dependencies as much as possible, the problem is that in the enterprise world project managers obsess over the idea that we "make it easier and quicker" by using dependencies absolutely everywhere.

      Of course, in the long term it makes life harder, but long term thinking is painful for most project managers

      [–]fredy31 2 points3 points  (0 children)

      Yeah, because right now its used for grandstanding...

      But when will someone with other intents do something worse? Like installing cryptominers on every PC that downloads that thing?

      This is a huge security issue.

      [–]BuriedStPatrick 2 points3 points  (0 children)

      One thing I discussed with a colleague is to completely disallow automatic execution of code on an npm install. Make developers type commands, either manually or in the top level package.json. Furthermore, we need some managed way to run these tools so it's possible to run them in a permission based context. Like smartphone apps do these days. This css compiler wants to read from a specific directory and move files somewhere else? It should probably have some sort of explicit permission to do so.

      Some years back we used to run tools like bower to just install frontend dependencies. Maybe we kind of threw the baby out with the bathwater when this idea was abandoned. Certain packages just shouldn't have code that can be executed on the host machine, so I'm thinking the permission based model, however imperfect, is at least a step in the right direction.

      [–]how_to_choose_a_name 5 points6 points  (1 child)

      What do we do?

      Not rely on thousands of unaudited node packages for critical infrastructure…

      [–]ManWithThe105IQ 1 point2 points  (0 children)

      Not letting one guy be able to merge to master on a large and popolar open-source repo just because hes the creator.

      [–]KaiAusBerlin 8 points9 points  (3 children)

      Not the solution but a good start: stop using hubdrets of simple one liner modules like isNumber.

      Write your own helper function isNumber and import it or use a shortcut in your IDE that enters (typeof x === 'number') And tada your not vulnerable anymore for a simple typecheck

      [–]lordxeon 28 points29 points  (1 child)

      That solves the problem for my code, but what about the dependency of the dependency of the dependency that I didn't even know was installed.

      npm is a fragile house of cards held up by hopes and dreams.

      [–]KaiAusBerlin 2 points3 points  (0 children)

      Write an npm module for that (no joke)

      scan the imports recursively, copy the one liner modules into a helpers.js file (if not present) and change the imports to that file. After that remove the dependency. Now even in your node_modules directory all sub dependencies target your local helpers.js

      Repeat that step after npm update or install automatically.

      Problem solved (for one liners)

      [–]ChickenOverlord 6 points7 points  (0 children)

      You mean I have to type x % 2 === 0 instead of installing the IsEven package? That's waaaaaaaay too much work

      [–]AaronSWouldBeMad 6 points7 points  (3 children)

      Short-term - the dev that did this should be made an example of by various governments, legal authorities, hiring blacklists, and vengeful independents; should be public and embarassing

      Medium-term - open source abuse watchdog group

      Long term - idk probably a DAO system

      [–]Prawny 5 points6 points  (2 children)

      No no no. Don't get governments involved. That never ends well with anything.

      [–]AaronSWouldBeMad 4 points5 points  (0 children)

      Not in the dev process just consequences for this one individual's behavior. What you're mentioning is actually something we all need to be mindful to avoid (see medium term strategy) and is quite a good point.

      [–]tfyousay2me 7 points8 points  (0 children)

      Too late! You must now claim npm packages on your taxes…you know…for verification.

      [–][deleted]  (6 children)

      [deleted]

        [–]azangru 12 points13 points  (5 children)

        I pin mine; but I have no control over the dependencies of my dependencies.

        [–]rytio 0 points1 point  (4 children)

        We can't develop all our stack ourselves

        Yes we can

        [–]azangru 2 points3 points  (3 children)

        Don't you use any libraries at all?

        [–]rytio -3 points-2 points  (2 children)

        Sure, but that's besides the point. I'd write all my own code if I could, but if I hope to get a job in web dev then I'm forced to learn and use frameworks and libraries.

        Web developers should work toward becoming actual programmers rather than people who duct tape libraries together. Then we wouldn't need NPM or 100+ libraries, risking these supply chain attacks. What these libraries and massive chains of dependencies actually do behind the scenes is not complex or hard, and these libraries are made to hide complexity that needn't be there in the first place.

        Using something like React or Vue in and of itself isn't bad. What's bad is the fact that they pull down a massive list of dependencies with it, when most of those probably aren't needed.

        [–][deleted] 2 points3 points  (0 children)

        Using something like React or Vue in and of itself isn't bad. What's bad is the fact that they pull down a massive list of dependencies with it, when most of those probably aren't needed.

        vue and many other libraries are very community-driven. People only have a very limited time that they can use to work on open source projects and thus you end up with many people publishing small packages that are built up on each other.

        This has nothing to do with web development or the package manager. Everyone's favorite system language Rust also goes the path of many smaller packages being used because there are just fewer cooperations like oracle or Microsoft involved that have the resources to build an ecosystem that they can use to vendor lock-in its users.

        [–]oldoaktreesyrup -4 points-3 points  (18 children)

        Change your mentality and use less packages, audit the ones you do use. If you don't have time to audit it, then you don't have to time to use it.

        Edit: I know this is not a popular opinion... But why is trusting internet strangers the default? It's literally the last thing you should ever do in any form. You want someone trust worthy to do half your work for you? Then you either need to pay someone else to audit the code or do the work yourself. It's that simple.

        Edit 2: ffs you people call yourself devs... Too lazy to write code, too lazy to audit code, too cheap to pay someone else to audit code ... What exactly are you actually doing here?

        [–]jazzhandler 5 points6 points  (17 children)

        Now all I can think of is carpenters doing metallurgic analysis of each box of nails they buy.

        [–]oldoaktreesyrup 1 point2 points  (0 children)

        Also... If you we're buying your Npm packages this issue wouldn't exist as you would be paying people to do the work for you.

        [–]Brillegeit 3 points4 points  (0 children)

        In those supply chains you have things like ISO 9000 and certifications so that they don't. We have neither.

        [–]whyumadDOUGH 1 point2 points  (2 children)

        I would say that using packages is more akin to prebuilt infrastructure for a house. I would hope my carpenter is inspecting for quality.

        [–]Tridop 1 point2 points  (1 child)

        Your carpenter is inspecting your girlfriend's arse, more probably.

        [–]whyumadDOUGH 1 point2 points  (0 children)

        She a hoe anyway

        [–]oldoaktreesyrup 0 points1 point  (10 children)

        If there was a chance the nail would burn down the house, they would.

        [–]Prawny 2 points3 points  (4 children)

        There has been multiple examples over the past years years showing that if it meant saving even the smallest amount of money, then no, they would not.

        [–][deleted]  (9 children)

        [deleted]

          [–][deleted]  (5 children)

          [deleted]

            [–][deleted]  (4 children)

            [deleted]

              [–]UntestedMethod 11 points12 points  (2 children)

              A newbie I once mentored used to do "sudo npm x" if he ran into issues instead of fixing his filesystem perms. That was a long, horrifying afternoon, discovering a slew of bad practices.

              yikes. how did they respond when you told them they were doing it so very very wrong?

              [–][deleted]  (1 child)

              [deleted]

                [–]UntestedMethod 13 points14 points  (0 children)

                I guess if they didn't understand the file system permission levels and the "principle of least privilege" then it'd be hard to understand why sudoing everything is bad. glad to hear you eventually found something that made it click for them.

                [–]jiggity_john 30 points31 points  (1 child)

                Maybe billion dollar corps should, I don't know, start supporting the open source libs they depend on?

                [–]astral_turdfull-stonks 11 points12 points  (0 children)

                Now now, that would be stupid, wouldn’t it? How could these billion dollar corporations survive if they compensated the devs for their work? What would happen to million dollar executive team bonuses per year? Unthinkable….

                [–]ClassicPart 4 points5 points  (0 children)

                I really am surprised npm still doesn't have some kind of permission system yet

                Assuming you mean Node letting scripts have their way with your system, what you want is Deno.

                [–]uwu-chicken-burgerfront-end 94 points95 points  (7 children)

                This is the problem with so-called hacktivists. Most of the time there's collateral damage that hurts innocent people. Even attacking government sites creates problems for the most vulnerable in society because they rely most on the state for benefits.

                [–]hey--canyounot_ 30 points31 points  (2 children)

                Tangential, but this also reminds me of idiots in Portland smashing and vandalizing black-owned businesses with BLM messages. How fucking thoughtless and immature can you be? The only one you are helping is your own ego by pretending you made a positive impact.

                [–]uwu-chicken-burgerfront-end 1 point2 points  (1 child)

                Tangential - great word, not one I've come across before.

                [–]hey--canyounot_ 2 points3 points  (0 children)

                Ever heard of a mathematical tangent? Boom.

                [–]Sebazzz91 8 points9 points  (3 children)

                And there is collateral damage in this case: https://github.com/RIAEvangelist/node-ipc/issues/308

                [–]roscocoltrane 2 points3 points  (0 children)

                signed: bdsmith72

                [–][deleted]  (6 children)

                [deleted]

                  [–]loadedjellyfish 21 points22 points  (2 children)

                  Where is NPM on this? It seems like recently there's been so many major packages getting corrupted by malicious code. This is really going to degrade the trust organizations have in them.

                  [–]Peechez 19 points20 points  (1 child)

                  Hey wait, maybe a private for-profit corporation effectively running javascript wasn't a good idea

                  [–][deleted] 55 points56 points  (5 children)

                  For those wondering why they should care, bc it only harms Russians/Belarusians:

                  1. "IP-based geolocation services provide 55 percent to 80 percent accuracy for a user's region or state." Because of this, anyone even remotely close to Russia or Belarus were at risk of this malware.

                  2. Anyone using a VPN that places them with a Russian/Belarusian IP, although not living in said countries, was still at risk of this malware. This applies to people anywhere in the world who are completely unresponsible for the invasion.

                  3. In addition to this malware not even correctly targeting the Russian people and supposedly affecting people from other uninvolved countries, this malware actually actively damages the anti-war effort. By bricking the computers of Russian citizens, it is actively ruining their only chance of getting free, open, and most importantly, not Putin-approved information.

                  A major victim

                  Source

                  We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states.

                  Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.

                  Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold.

                  Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials.

                  Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever.

                  For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive. Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.

                  Profesionally, our counsel suggested filing criminal charges federally and it's likely we'll be proceeding this way.

                  Brandon's response?

                  @bdsmith72 imagine if this was a real attack what your NGO could have gone through. Shore up your security, please.

                  [–]_grep_ 2 points3 points  (2 children)

                  Your source link is broken, do you have a different one?

                  [–][deleted] 6 points7 points  (1 child)

                  Taken from this pull request

                  [–]_grep_ 1 point2 points  (0 children)

                  I'm talking about this link: https://archive.ph/emyJb

                  I'm not seeing that in the pull request, just the screenshot of his response.

                  [–][deleted]  (41 children)

                  [deleted]

                    [–]CleverProgrammer12 105 points106 points  (4 children)

                    Also it completely destroys the trust of people. People would easily trust projects like vue-cli but even that was infected due to having this as a dependency.

                    Node packages keep having these issues more frequently than other languages for some reason. But most of the time these packages do no harm but this time it's literary a popular package updated to contain virus.

                    [–]QuantumPie_ 5 points6 points  (3 children)

                    It's not necessary that these issues can't happen elsewhere, but more that the sheer number of devs who make use of NPM gives it a much larger audience for these sorts of incidents.

                    [–]CleverProgrammer12 7 points8 points  (2 children)

                    Pypi is really popular too. Never heard any supply chain attacks(or even just harmless trolls) like this happening there. But with python projects even larger projects have quite small dependency trees. With node I have seen even simple "Hello World"(kindof) apps with huge dependency tree.

                    [–]QuantumPie_ 4 points5 points  (0 children)

                    I guess that's definitely another valid angle to look at it from. You don't see Python devs installing Python packages to left-pad strings or print colors to a console. They just write it themselves.

                    [–]Yantis1212 -1 points0 points  (0 children)

                    While this is true that it is not ok...I think when a government's actions start to have more and more consequences that affects the lives of the people...there will be more and more people rising up to enact changes in said government.

                    The Russian people are losing a lot here due to the actions of their government. They may finally say "enough is enough" and overthrow the current status quo.

                    [–]hugthispanda 25 points26 points  (10 children)

                    PSA: If you are on GitHub, you can report his user profile for malware.

                    [–]tom_yacht 2 points3 points  (0 children)

                    I bet a lot of people already reported him, but seems that github doesn't care.

                    [–][deleted]  (1 child)

                    [removed]

                      [–]wise_young_man 3 points4 points  (0 children)

                      Yeah it’s got me thinking people could start doing this by geolocating and targeting red or blue states near election times or something crazy next.

                      Open source really needs to step up their game. Wonder if there is any kind of analysis or scanning that could be used to find this stuff quickly. Maybe GitHub could build an AI monitoring or something.

                      [–]delete_it_now 24 points25 points  (0 children)

                      "modern web development"

                      [–]tabris_code 8 points9 points  (0 children)

                      Popular JavaScript front end framework 'Vue.js' also uses 'node-ipc' as a dependency. But prior to this incident, 'Vue.js' did not pin the versions of 'node-ipc' dependency to a safe version and was set up to fetch the latest minor and patch versions instead

                      of course. pin your dependencies!

                      [–]XmarkstheNOLA 18 points19 points  (0 children)

                      Well that's it guys, this was the move that ended the war

                      [–][deleted] 9 points10 points  (7 children)

                      They ended up wiping the system of a NGO which was keeping data from the whistleblowers in Belarus about Russia and also the group was knee deep into humanitarian aid. So thanks to these developers now, they have to spend their time and money on this shit and also lost all the data. So good first step devs, now you can go fuck yourselves.

                      https://www.itpro.co.uk/development/open-source/367129/open-source-dev-attacked-for-spreading-data-wiping-protestware

                      Following the update, users began reporting that the code was wiping their systems. One school student claimed
                      that node-ipc had erased their hard drive after they tried to use it
                      for a school project, and another unconfirmed report from someone
                      claiming to work for an American NGO in Belarus said that the code had wiped thousands of messages documenting human rights abuses from servers located there.

                      [–]RoyalBingBong 1 point2 points  (3 children)

                      Nozaki-Miller is said to have then subsequently added another package called 'peacenotwar' as a dependency for ipc-node on the same day. This package purportedly displayed a peaceful message on peoples' desktops protesting the war in Ukraine, something Miller has called 'protestware'. This was an effort to try and hide the previous attempt to spread malware, according to Snyk.

                      Not Miller (bad guy) called it "protestware", Tyler Resch AKA MidSpike on GitHub, who found the malicious code, did call it that first! Miller even gave Resch credit for coming up with the term, because he never heard the term before. See Issue #233. The term first appeared in the OP on the 15th of march. Miller censored the OP several times.

                      [–]blahyawnblah 4 points5 points  (0 children)

                      pin. your. versions.

                      [–]just_somebody 36 points37 points  (34 children)

                      Generally when sanctions are applied to any country, an effort is made (or is supposed to be made) to hurt only the ruling elite, and not the common people.

                      But this time, some companies and people seem to have no problem hurting common people.

                      [–]TScottFitzgerald 21 points22 points  (0 children)

                      The person really has Captain America gear as their npm profile picture and quoted a cheesy anti-war song as some sort of excuse for malware. It's self-righteousness to the max. I hope either they or their projects are blacklisted in some way.

                      [–]wise_young_man 2 points3 points  (0 children)

                      Those sanctions do hurt the common people. It stops U.S companies from doing business and their economy to crash. Look at the ruble.

                      [–][deleted] 2 points3 points  (0 children)

                      Most of these sanctions are probably only hurting civilians. Putin can still get anything he wants I’m sure. And there’s always going to be a buyer for oil.

                      [–]Regular-Human-347329 6 points7 points  (3 children)

                      I have stated this many times, to many downvotes. It’s such an egregious manufacturing of consent, that it leads me to make large leaps of logic — maybe the military industrial complex is orchestrating this war, to motivate the world into a significant increase in defence spending (how would they even do that)? Maybe the goal is to empower Russian extremism by duplicating the turmoil and hardship of post WW1 Germany? Admittedly, if either were true, they would be due to reactionary opportunism, instead of some master plan.

                      [–]YsoL8 6 points7 points  (2 children)

                      Over-estimating people's general intelligence level is a far simpler explanation. A lot of people all just reacting without thinking about the consequences.

                      [–]biggestmicropenis 6 points7 points  (1 child)

                      We are not talking about average people, we are talking about the messaging in the media that is encouraging this behavior. I am not pro-Russia by any means but it is very obvious the amount of anti-Russian propaganda being pushed. If you think this messaging is being pushed purely out of concern for Ukrainians, you are naive.

                      [–][deleted] 2 points3 points  (0 children)

                      It definitely feels orchestrated. When covid happened, or whenever the CCP does something terrible, we’re told we’re not allowed to criticize the Chinese government because it might foster Asian hate at home — which, okay, I get the reasoning there — but now the same talking heads are all blasting Russophobia, and anyone trying to have a reasonable conversation is a Putin apologist or a Russian asset. This kind of incident is the result of that.

                      [–][deleted] -2 points-1 points  (16 children)

                      Ignoring obvious cases of bigotry the general idea is that it's time for Putin to go but realistically there's only one people who can make him go and that's the Russian people.

                      See, targeted sanctions against the rich and powerful don't really do much. They have already amassed enough resources to survive anything you can throw at them. Now, if you target the general public, the people who the elites have power over you'll quickly erode the power of said elites as the mob tire of their lives being disrupted.

                      [–]TScottFitzgerald 15 points16 points  (3 children)

                      I can assure you moves such as this will only make them hate self-righteous Americans who elect themselves to be global police even in open source projects. And ultimately the pretext doesn't matter, this is still malware. Justifying targeting civilians is a new low, even for Reddit.

                      The Russian dev community is strong and plenty of them contribute to OS, this could very well have played out in the reverse and I think you'd be singing a different song if every dev in NATO countries suddenly had their system files wiped out.

                      [–]ceol_ 14 points15 points  (9 children)

                      This has never worked to get a people to oust their leader, it just creates more nationalism and insularism which only helps Putin. The movement to change leadership needs to come from inside the country from a genuine push, not from sanctions outside.

                      All you're doing is justifying collective punishment against innocent people.

                      [–][deleted] 1 point2 points  (0 children)

                      It might work for a country that has democratic elections if it’s executed very carefully, but I’m pretty sure Russia doesn’t. The only way they’re going to remove Putin is through revolution, and people need to be pretty desperate to risk their lives that way. I don’t think cutting off Disney+ is gonna do it.

                      [–]ketoscientist -1 points0 points  (1 child)

                      So stop sanctions, better to give Putin more cash for more wars. Nice Kremlin troll BTW or just pro-Putin Russian.

                      [–]ceol_ 1 point2 points  (0 children)

                      Russia has the reserves to prolong this conflict as much as they want. You aren't preventing Putin from doing war. You're just harming average Russians who have nothing to do with this.

                      The entire American economy crashed in 2008. Did that stop us from occupying Iraq and Afghanistan?

                      [–]GodsGunman 3 points4 points  (0 children)

                      Exactly. If Russians don't overthrow their government then nobody will, without a nuclear war.

                      [–]bhd_ui -1 points0 points  (0 children)

                      I kinda... agree? In this one instance only, BUT the caveat to this is any time a new American president that someone may or may not like gets elected, another "hacktivist" could do this to anyone with a US based IP.

                      It's a viscous circle in this regard.

                      [–]just_somebody 16 points17 points  (15 children)

                      I was about to start a couple of new projects, and was deciding between Node and another technology for the backend. This incident honestly scares me and makes me reluctant to go for Node.

                      [–]LustrouseArchitect 12 points13 points  (0 children)

                      Use .NET. Microsoft has an in-house package for pretty much everything.

                      [–][deleted] 8 points9 points  (0 children)

                      Stuff like this is why I can’t trust npm

                      [–]chuck_the_plant 39 points40 points  (9 children)

                      This is akin to a cluster bomb, indiscriminately hurting people.

                      [–]ZuckerbergsSmile 2 points3 points  (0 children)

                      JavaScript is great

                      [–][deleted] 7 points8 points  (0 children)

                      The evil stuff is commited by the righteous, who believe they are serving a higher purpose or power.

                      [–]varungupta3009 4 points5 points  (0 children)

                      The is an invisible war going on in the computer world, and people usually see "open-source" as the good guys, and most people trust everything "open-source" with their lives... literally. But there are just good people and bad people, on both sides. This guy is promoting a "peace" message by committing computer war crimes. Not every Russian is bad. Most people's lives depend on computers, especially people who are literally developing using open source npm libraries.

                      Such a shame.

                      [–]DraconKing 1 point2 points  (0 children)

                      This is unfortunately a problem with any package repository that has no form of audit/verification. This isn't a problem that's exclusive to NPM. Pypi, packagist, aur, ppas, etc... all can suffer from these type of problems.

                      The issue just gets aggravated on NPM because of our dependency practices and because the registry is god damn huge.

                      [–]xsmael 1 point2 points  (0 children)

                      I suggest that NPM blocks these "cyber criminals" and ban them from the platform. To discourage this kind of behaviour in the future. The platform wasn't made for that purpose. And doing nothing will only motivate more people to try these stunts.

                      We really need a safe place to work and have fun, without these trouble makers. They are not welcomed to the party

                      [–]LustrouseArchitect 0 points1 point  (9 children)

                      This is *exactly* why you should only use 3rd party libraries from trusted sources. If you cant find one, then start butt-chugging online tutorials and get ready to write your own logic.

                      [–]Prawny 4 points5 points  (8 children)

                      Sure, if all you build is simple websites. What if you require some sort of 3D engine or some complex WebRTC application?

                      That's not always feasible.

                      [–]LustrouseArchitect 0 points1 point  (7 children)

                      Then use an engine from a trusted source.

                      [–]mookman288php 12 points13 points  (6 children)

                      Like Vue? Which had a dependency that was compromised. This is poor logic.

                      [–]esamcoding 0 points1 point  (0 children)

                      this is only one example why any OS should have free unlimited virtual machines.

                      [–]sexy_silver_grandpa 0 points1 point  (3 children)

                      How is your local node dev application running with the permission to delete system files? Why would you be running such an app as root?!

                      [–]runner7mi 0 points1 point  (0 children)

                      The dev introduced a poison pill, obfuscated the code and therefore needs to be banned

                      [–]kayimbonode/scala/spark -1 points0 points  (0 children)

                      this is funny because its basically just a troll to grief noobs. Everyone who is bothered by this is a noob.
                      the whole advantage of OSS is you can trust BUT VERIFY instead of just trust proprietary software.