16
AleCx04
5y

Yo...wtf

A node package, event-stream. Was infected. Basically, the exploit seems to steal data from mining cryptocurrencies. What was amazing was the github repo owner's attitude about it. I would normally agree with it not being his issue anymore if it weren't because:

1. The pendejo did not archive the repo to indicate that he is free of fault and not his anymore.

2. You can't just entrust a fucking software lib to any pendejo that asks.

3. Eat a dick nigga

Peace out

https://github.com/dominictarr/...

Comments
  • 7
    And people wonder why I don’t trust 3rd party dependencies that no one has time to sift through.
  • 1
    Why would you archive the repo thus not letting people discuss in issues and make pull requests? Seems like a stupid and arrogant thing to do.
  • 3
    @Taqriaqsuk when you pass the repo to someone else and they own it now, you archive it to show that you are not the one maintaining it. Which is something that this dickhead should have done the moment he gave it to some hacker.
  • 2
    @C0D4 eeeeeexactly
  • 4
    @irene coz crazy people will be crazy people.

    And you know the usual argument, “I don’t need to learn multiple languages to do my job” 🤷‍♂️ that would bore the crap out of me.
  • 4
    @irene
    Yeah I know, but the crazies don’t like to learn, instead they just “npm install someRandomModule” and call it a day.

    I guess that turned out well today 😆
  • 1
    @irene i don't see it as a joke. Exploits like this can happen and have happened on pretty much any stack known to man.

    I have 1 express app working in production. It runs like an absolute charm and it took me less than 2 days to implement(cuz i need to sleep and i do procrastinate a lot)

    💁‍♂️
  • 6
    @C0D4 i dunno man. I have worked with a wide range of stacks professionally:

    Php (lumen, codeigniter, wordpress, symfony(old, version 2 old)
    Java (som old ass jsp shit and newish jsf shit)
    Classic ASP
    RoR
    Django
    ASP.NET MVC(With both c# and vb.net utilities)
    Cpp(used the opencv for an Android scanner implementation)

    And Node. Granted, Node was: for another company with certain utilities they had and a small express server. And for me, just 2 projects. But both in production and both professional. And the Node people were by far the cleanest and the only ones(along the Rails people) that cared about quality and tests.

    Would i use it for everything? Nope. Would i diminish it and call it a joke? Nope. Pros and cons and right tools i guess.
  • 4
    @AleCx04 that wasn’t an attack on you - generalisation has its side affects.

    I learnt my lesson with dependencies back in my wordpress days, since then I absolutely have nothing against using something prebuilt to get the job done, but that’s after I have gone through said project/lib/module or what ever and localised it, if it’s obscure or over engineered I’ll just write my own version.

    It only takes one asshole to make a mess of things - take the LPAD issue a while back for example.
  • 2
    From what I have read, it would not surprise me if the same guy did all the dirty work covered behind different account name.
  • 1
    @C0D4 i know it wasn't bro. With some of y'all I imagine it as a friendly conv over beer just talking and chilling.
  • 0
    @jote ooooo the plot thickens
  • 2
    @AleCx04 🍻

    @jote hahaha that would be gold!
Add Comment