15

Beware of NPM packages maintained by Brandon Nozaki Miller alias RIAEvangelist. He added IP-specific malware to node-ipc.

https://security.snyk.io/vuln/...
https://github.com/RIAEvangelist/...

Comments
  • 12
    Qt company did something like this, but not malicious as far as I know. They blocked IPs from Russia from downloading their development system (like they can't just use a vpn). This included paying customers, think about that. This only hurts the little guy. If people really cared about human rights we would be blocking just about every country especially China and the USA.
  • 3
  • 8
    Oh, what a surprise, i thought it would be totally secure to execute programs from people that tell you to do:

    curl some.random.doma.in/foo/bar | sudo bash -
  • 16
    This whole shitty ecosystem needs to come crashing down. After the "leftpad" disaster a few years ago, it should have been clear that pulling in gigabytes of JS trash from all over the internet isn't a good idea, not even if they treeshake 95% of it away. However, they just pretended shit hadn't happened.
  • 2
    @Demolishun But how else are they supposed virtue signal??
  • 4
    @Fast-Nop Maybe this finally woke some people up and we (as in the larger programming community) can figure out a batteries-included and cross platform way of sandboxing this sorta shit

    Rust code also likes to accrue lots of dependencies that can have buildscripts that are literally just programs that get compiled at run at compile time

    That always scared me
  • 5
    @12bitfloat I've always seen Cargo as a problem with Rust, not a feature. You can see how Rust originated in a web company where people are so used to these shitty practices that they didn't think twice and havn't grasped that dependencies are at least as much of a liability as an asset.

    Package managers are nice in theory for the C/C++ situation of half a dozen dependencies, but the problem is that they make dependencies so easy that they proliferate quickly. Before you know it, you have dozens of them recursively, and you have no idea what your code is actually doing - or even whose code is in there.
  • 0
    Yes, the NPM system is flawed and this shows it. But I'm firmly in favour of the guy's actions- in the choice of "do it" or "don't do it" he made the *more* ethical choice.
  • 2
    This is fucked up, I get the guy's actions, but the fact that this can be done is messed up. This ladies and gents is why homeboy over here left Node a long time ago.

    Can't vet EVERY single package that gets pulled from the internet, made even stupider because of cyclical dependencies and shit. Node would be good if developers would just write their own code using the base library....BUT OH WAIT the base library for Node is so limited that literally everything would have to be pulled and built from scratch...........................
  • 0
    @12bitfloat what do you think of Deno's permissions + vetted approach to this sort of things? Personally I have had enough of this sort of thing happening in the JS ecosystem to keep playing, but so far Deno does seem like a somewhat-good proper approach to permissions.
  • 0
    @AleCx04 I don't think you need that may libraries. I manly use C, C has an very limited amount of standard function. I don't use many libraries.
  • 0
    @Demolishun Meh, there is being upset with the normal of not giving a fuck about human rights but feeing powerless to actually do anything because no one is truly clean. Cool, you are right and edgy. But you gotta do business. Compare that to being very upset with the sudden, abhorrent, and prolific amount of human rights Russia has violated by creating an unprovoked war in a peaceful country with via a Astro turf propaganda campaign and feeling like at least you can block Russia for this particular bs is an acceptable dichotomy.

    No doubt in 2003 they may have been blocking US IPs for the similarly illegal invasion of Iraq. However, most of this stuff didn’t exist then that is being judged now.
  • 0
    @happygimp0 I get you homie, but it is not the same thing in the realm of web development. Do I trust my own code to work for authentication, authorization and sessions etc etc? or do I use something that has been used by other developers with 1000+ stars on github(big stretch but you get me)

    In C where you are mainly building drivers or microcontrollers you require a different approach, not as much in terms of web development languages where you are facing completely different scenarios. Not shitting on C or embedded/kernel/driver/compiler devs, but we live in extremely different worlds.
  • 2
    @AleCx04 The problem is that you don't just use something with 1000 stars because the dependency chains have become insane. Effectively, you have no way to even know what you are using because vetting these deep dependencies isn't humanly possible.

    An ecosystem where any random stranger on the internet can perform a supply chain attack, which is basically what happened here, is completely unsuited for anything with higher security needs than grandma's cat homepage, and even then.

    The leftpad debacle was a wake-up call that the whole ecosystem chose to ignore.
  • 0
    @AleCx04 I also write applications in C, including applications that need a GUI. Sometimes i use python when it does not have to be super stable.

    That is the problem of web development. It is extremely complex, slow and full of bloat.
  • 1
    @Fast-Nop And I do not see it slowing down or changing direction soon.
Add Comment