Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Programming Security

Compromised JavaScript Package Caught Stealing npm Credentials (bleepingcomputer.com) 44

An anonymous reader shares a report: A hacker gained access to a developer's npm account earlier this week and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.
This discussion has been archived. No new comments can be posted.

Compromised JavaScript Package Caught Stealing npm Credentials

Comments Filter:
  • you are breaking critical news a day late.
    • Also, I am kinda scared how easy it is to infect libraries. We were lucky this time, people start enforcing package locks and npm audits. Make that shit mandatory.
    • by Desler ( 1608317 )

      Only a day late? Wow, that's quick for Slashdot. Usually it's 3-5 days later. Plus they'll likely be the inevitable dupe posted by one of the other so-called editors just as icing on the cake.

    • Re:congrats.... (Score:5, Insightful)

      by Aighearach ( 97333 ) on Friday July 13, 2018 @04:00PM (#56943636)

      It is the same as everything else, if you're willing to install dependencies and allow them to automatically update, you're already p0wned.

      Is the correct way to handle code reuse to learn from code already written, and to reuse the code that does what you want, or is it a crutch that lets you write code you don't actually understand how to write?

      If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.

      Updates aren't magic, they're an attack vector; you need to have a human evaluate the situation and then do an update promptly if needed. Don't trust updates from a repo unless it is a repo that receives testing from human engineers! You OS updates you might therefore want to have on auto; but most package dependencies, you should be on a "stable" version. Don't develop your applications to development versions of dependencies, you don't actually need untested features.

      • by Desler ( 1608317 )

        p0wned

        The term is "pwned", gramps.

        • Sorry kid, the old words didn't disappear just because the new word was really groovy.

          Now get off the lawn, I spilled my meds somewhere in this field and I'm gonna sit here and watch the grass grow until I either remember where I dropped them, or forget why I'm sitting here.

      • Yeah, let's all reinvent the wheel or roll own own crypto like iota.
        • Yeah, let's all reinvent the wheel or roll own own crypto like iota.

          Rolling your own crypto isn't bad. Presuming you can do it correctly.

          Even if you only take it as far as running your own CA and signing and trusting your own certs, you'll be way more secure than the rest of the world depending on 3rd party CAs.
          If you want to get serious, you take a standard algorithm but change the default parameters, investigate what curve is used and why (hello NSA), etc.
          If you're worried you might fuck something up, then you take a standard algorithm and standard config, but add a seco

          • For example, XOR. f(x) = 0 is provably secure, but non-reversible (and completely useless).

            Secure in theory, but you still have to be careful to not fall to sidechannel attacks.

            • That's an implementation issue. No mere mortal is going to be able to truly trust modern computing hardware.

      • If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.

        I just want to point out that this is really hard to do these days (ie, a lot of effort). That is the #1 thing that frustrates me about web development these days.

        • It's why I went back to writing secure dynamic websites in C with no framework.

          I just wish I was joking. It feels like there should be some kind of punchline right here.

  • Open collaborative coding with the public, always opens the door for bad actors to get in and inject bad code. Especially if the review process is kinda lax.

    • That's why people say, ignorance is happiness.
      You take your proprietary binary,
      you never think that it's compromised,
      so you live a happy dev life in ignorance.

    • by 110010001000 ( 697113 ) on Friday July 13, 2018 @03:34PM (#56943470) Homepage Journal
      Closed source software has been stealing credentials and data for years. It took a day to catch the open source one. Your phone is riddled with data stealing software right now.
    • Sorry for adding the spoiler, but in this case "kinda lax" is a sarcastic way of saying, "missing or absent." The npn "review" process is that after somebody injects malware, and it gets pushed out, then if enough people report it as a bug it might get removed.

  • It is showing the true nature of man.
  • Comment removed based on user account deletion

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...