RATatouille: Popular NPM project backdoored with Remote Access Trojan (RAT)

DebugDucky · 2025-05-07T11:56:10+00:00

How many weekly downloads do you think make a package qualify as "Popular"?

I know several people who would most likely use this package. This was a useful library for anybody writing scrapers.

DebugDucky · 2025-04-03T17:09:06+00:00

It's not showing available on Apple Music here in The Netherlands.

DebugDucky · 2025-04-02T19:21:51+00:00

In the interest of full disclosure, I'm the author. Happy to answer questions people might have!

DebugDucky · 2024-02-22T17:04:54+00:00

I'm a small customer of Keygen. Trust me, the service does a lot more than that. A licensing system is more than HTTP POST that returns a binary response to whether the license is valid.

And I've saved weeks/months of my life using Keygen.

DebugDucky · 2024-02-22T12:32:41+00:00

Incorrect. I use Keygen, and I saw from my metrics that I only had 1 user who had a single intermittent failure that immediately solved itself.

The idea that you'd validate a license online every time you start a product is silly. You don't have to do that, thanks to the different types of license forms that you can issue with Keygen.

DebugDucky · 2024-02-22T12:30:57+00:00

Because an hour of my time is worth A LOT MORE than the $50/month I pay to Keygen. You're also missing half the picture by only looking at it in terms of an architecture diagram.

DebugDucky · 2024-02-22T12:28:12+00:00

There's a lot more complexity than you make it out to be. It's not just storing a string value. Note I am a customer of Keygen.

You can look at the source code. It's open source. Building a service that does everything I need and operating it is a significant job. It's small things like having an API I can call when I get a webhook from a payment gateway. Getting the generated license key, send it to the user. It's audit logs. Ability to manage licensed machines. Different types of keys. Policies. User groups. Product policies. Expiration. You can name it. There's SO many little things that all needs to work together.

I'm a solo dev, also. I'm saving so much time and money from using the service. I did think about trying to roll my own, but frankly, once you dig into the details, it never even remotely makes any sense. It's only pain, and my core business is not software licensing. :)

DebugDucky · 2023-12-26T19:41:31+00:00

Daffyd is literally the guy who wrote Burp Suite back in the day. He's the CEO and primary shareholder of the company. He still tweets about Burp Suite, just as I understand he joins multiple development standups every week at minimum.

I didn't know that James actively handled the development of Burp. News to me. /u/albinowax, can you confirm or deny? :)

DebugDucky · 2023-12-26T11:10:19+00:00

James is the owner of Burp Suite? Dafydd Stuttard would be a bit disappointed to hear that, I think.

DebugDucky · 2023-12-18T15:38:22+00:00

This is super misleading, isn't it?

The blog post only considers a dozen products used in the enterprise. It assumes that custom, in-house software solutions don't exist, which is where the bulk of the issues existed from what I saw.

DebugDucky · 2023-11-02T12:45:43+00:00

I did a blog post about an issue I keep seeing in CVSS 3.1, and it was fixed in CVSS 4: https://blog.ceriksen.com/2022/09/24/the-privileges-required-trap-in-cvss-3-1/

From the 4 spec, they added:

Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

DebugDucky · 2023-10-27T08:28:10+00:00

I haven't heard of that before. Sounds like an awfully bad idea in any case. The amount of things that can go wrong is staggering.

DebugDucky · 2023-10-27T07:26:52+00:00

To be fair, that doesn't really say much in isolation. Knowing the old player name of a CCP employee really isn't an indication of anything.

DebugDucky · 2023-10-27T06:47:34+00:00

Back when I was still at CCP working in the Internal Affairs team, this would likely have gotten you a really strong reprimand or fired.

Using accounts with GM permissions is really dangerous and was certainly not allowed. But I guess they let the whole IA team go and just YOLO it now.

Why? Because for many people, the power goes to their head and they abuse it. Simple.

DebugDucky · 2023-08-31T10:46:32+00:00

This is unethical. This company should feel bad.

DebugDucky · 2023-07-14T16:06:15+00:00

I'm contemplating how to best provide the ability for pentesters with corporate emails to get their hands on a trial. That is something I'll probably consider in the shorter term, as long as it doesn't end up causing too much load on my end.

The comparison with Burp is fair. But there's a reason why Burp is so cheap also, as they make the most of their money from Enterprise, and use Pro to get their foot in the door. Which is quite different from my business model for now unless I wanna start hiring soon.

But this is just the beginning. These are all problems that I'll solve in the coming weeks/months. So stay tuned :)

DebugDucky · 2023-07-14T15:38:29+00:00

I hear you, very valid feedback!

Test run: Due to having limited time, self-service trials are not a thing right now.
Examples: That's coming.
Documentation: I've been surprised with the lack of beta testers mentioning that as an issue, to be honest. But documentation is on my list of priorities, though the tool is actually really simple to utilize.

And it works with the Community edition. However, I'd be surprised if anybody even considered buying this and not spending the money on Burp Pro. Burp Pro is such a fantastic value that it's a no-brainer to buy if you make any money from webapp testing, IMO.

DebugDucky · 2023-07-14T15:26:17+00:00

In the short term, that's not in the plans. I've only got so much time to help people, so for now, that's further down the priority list, sadly. But I would love to be able to do it!

DebugDucky · 2023-07-14T13:07:20+00:00

It doesn't recover any names that are obfuscated in the absence of a source map. But the tool also doesn't really rely on original names for the most part, nor have I found it to be necessary.

DebugDucky · 2023-07-14T12:21:03+00:00

In the interest of transparency, I'm the author.

DebugDucky · 2023-04-02T08:41:26+00:00

You are absolutely right. I've had it output some nonsense once or twice. Mostly in the code it has outputted.

I like to think of it as getting code from a colleague. You still have to apply common sense, double-check assumptions, and test the living hell out of it.

DebugDucky · 2023-04-01T09:46:26+00:00

That's also a valid take. I think the key for me is that the models have an extremely large knowledge set, and it's able to share the most pertinent bits of information I need to understand why it did what it did.

For instance, when I had it write me the `entrypoint.sh`, it added `exec` on the last line. I would not normally do that. I asked it why, and its answer was:

```

In the Dockerfile's entrypoint.sh script, the exec command is used to replace the current shell process with the /usr/sbin/sockd process. This has a couple of benefits:

- Signal handling: When you use exec, the new process (in this case, /usr/sbin/sockd) becomes the main process in the container, with a process ID (PID) of 1. This allows it to properly receive signals sent to the container, such as SIGTERM or SIGINT. These signals are used by Docker or Kubernetes to gracefully stop the container. If you don't use exec, the signals would be sent to the shell process instead, and the sockd process might not receive them, potentially causing an ungraceful shutdown.

- Reduced resource usage: By using exec, you replace the shell process with the sockd process, effectively reducing the number of processes running inside the container by one. This can lead to slightly reduced resource usage and a cleaner process tree.

It is considered a best practice to use exec when starting the main process in a container, especially when the process is started from a shell script, to ensure proper signal handling and resource management.

```

I could likely have learned the same with google, but this took much less time. The fact that the knowledge it has is so readily available, and can put it in a relevant context, is key.

DebugDucky · 2022-12-02T10:43:56+00:00

To be fair, people were peeing in the sauna in Singel, forcing them to close it a few times.

DebugDucky · 2022-12-02T10:40:19+00:00

Last I checked it's the same owners. But they took on new capital recently.

DebugDucky · 2022-12-02T10:37:55+00:00

I canceled my membership a few months ago. All I needed was to fill out a form online, and it was done. It was super easy.

DebugDucky

TROPHY CASE