Pure evil and geniusness, this is a must read for JavaScript developers and security enthusiasts !

  • 7
    Haha, that was a good read. Thx for sharing.
  • 6
    Indeed an interesting read
  • 4
    The deep the reading the more interesting it gets and points to threats unimaginable before.
  • 4
    'installing nom packages as popping pain killers' 🤣🤣🤣🤣
  • 1
  • 7
    A good cure against this:

    * Ask yourself, continuously: Do I really need this? Should I use this library, should I even need to use *any* library?
    * Develop a small set of personal libraries, modules and tools. Maybe you agree that Jquery is gross and React is overkill for your personal blog... but a little ajax call wrapper might be useful? Some animation effects you like? A bit of string manipulation, you can handle that by yourself right?
    * Contribute to projects, read their code. Like the author mentions, there are ways around this by minifying/ tarring infected samples into package manager repos manually, but still... more human eyes on malicious open source code will at least filter the most obvious shit.

    But in the end, we're also going to need way stricter distribution tools. All package managers really must start thinking about rules, detection mechanisms and verification tools.
  • 1
    Great article
  • 2
    The thing is that whether it's online or someone skimming your card at a foreign hotel - your sensitive details will eventually get out somewhere if you're not careful enough. For that reason you should make use of two-factor authentication, check your statements and change your passwords regularly. We put security gates in at our houses - but we still have insurance (it's the same principle)
  • 1
    Hell of an article, thanks for sharing!
Add Comment