Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Programming

'One In Two New Npm Packages Is SEO Spam Right Now' (sandworm.dev) 37

Gabi Dobocan, writing at auditing firm Sandworm: More than half of all new packages that are currently (29 Mar 2023) being submitted to npm are SEO spam. That is - empty packages, with just a single README file that contains links to various malicious websites. Out of the ~320k new npm packages or versions that Sandworm has scanned over the past week, at least ~185k were labeled as SEO spam. Just in the last hour as of writing this article, 1583 new e-book spam packages have been published. All the identified spam packages are currently live on npmjs.com.
This discussion has been archived. No new comments can be posted.

'One In Two New Npm Packages Is SEO Spam Right Now'

Comments Filter:
  • by TuballoyThunder ( 534063 ) on Thursday March 30, 2023 @01:24PM (#63412232)
    Spam from JavaScript? Joking not joking.
    • by drnb ( 2434720 ) on Thursday March 30, 2023 @01:35PM (#63412268)

      Spam from JavaScript? Joking not joking.

      Well if its node.js one can just assume its pure goodness for your server. ;-)

    • by Anonymous Coward
      A real Slashdot story from BIZ-X SEO spam? Actually, not joking. It is all SEO spam paid for by corporate and government interests.

      Mr. Abbott is a crook and a pathological liar.
    • by kwalker ( 1383 )

      Spam uses English words, mostly. JavaScript uses variables and various kinds of brackets and punctuation.

  • by OrangeTide ( 124937 ) on Thursday March 30, 2023 @01:27PM (#63412240) Homepage Journal

    But this is why we can't have nice things.

  • by presidenteloco ( 659168 ) on Thursday March 30, 2023 @01:35PM (#63412264)
    Seems pretty simple to classify these.
    • This doesn't really sound like that much of a problem. 2FA, account validation & bot-check for publishing to npm actual, some graylisting/blacklisting of hosts, perhaps some firewall service to flag suspicious activity and some plausibility checks for newly published packages.

      This should be public archive maintenance and protection 101, no? Nothing a good team of maintainers couldn't solve in a few sessions. That's my impression anyway.

    • by ljw1004 ( 764174 )

      Why not automatically removed? Seems pretty simple to classify these.

      If npm creates a simple automatic classifier, you can be sure that within a day the bad actors will come up with new submissions that thwart the classifier. It'll be a never-ending whack-a-mole that npm are doomed to lose, because economic incentives are against them -- they don't gain much additional revenue to offset the cost of the full time employees they need to beat the bad actors, while the bad actors have an easier job and directly make money.

      • If npm creates a simple automatic classifier, you can be sure that within a day the bad actors will come up with new submissions that thwart the classifier. It'll be a never-ending whack-a-mole that npm are doomed to lose, because economic incentives are against them -- they don't gain much additional revenue to offset the cost of the full time employees they need to beat the bad actors, while the bad actors have an easier job and directly make money.

        You don't have to make it hard enough that the bad actors can't abuse it profitably -- you just have to make it hard enough that it's easier for the bad actors to just go somewhere else. Sort of like "I don't have to outrun the bear -- I just have to outrun you."

  • by dark.nebulae ( 3950923 ) on Thursday March 30, 2023 @02:45PM (#63412404)

    A workflow.

    New accounts w/ new submissions - must get reviewed and approval before being added.

    Existing accounts w/ good standing - auto-approval.

    • by ArchieBunker ( 132337 ) on Thursday March 30, 2023 @02:51PM (#63412416)

      The real question is why you need to pull in so many third party libraries. How on earth was software ever written in the decades before this nonsense?

      • by tepples ( 727027 )

        Before this nonsense, developers copied and pasted snippets of code. These snippets had security vulnerabilities when exposed to untrusted input, and there was no central way to update all uses of a particular snippet.

        • by narcc ( 412956 )

          Now, we introduce security vulnerabilities with ruthless efficiency!

          Seriously. Security is a reason to avoid importing a ton of third-party code.

          there was no central way to update all uses of a particular snippet

          Most sensible organizations maintained their own library of "snippets" as it gave them a competitive advantage. The really smart ones still do.

      • In those days it took longer and cost more to write software. The primary appeal of using all these third party libraries is: many features quickly and cheaply.

        Sure, there may be a price to pay in the long run. A maintenance cost. But that's ok because we got our product out the door before the competition, locked up some clients in long-term contracts, and as such we will have the money to pay that maintenance cost when the time comes.

        And by the time this mess snowballs into an enormous, impenetrable bl

        • by narcc ( 412956 )

          Between the enormous maintenance costs, and the necessarily shorter lifetime of the product, I have to wonder if there would ultimately be any savings at all.

          Even in the short-term, I can't imagine there being much of anything saved during development. There's a story I like to tell about how making and testing a thing took less time than was spend trying and failing to find a suitable thing from a third-party. Finding, learning, and adapting a third-party thingamabob that doesn't quite do what you want i

    • A workflow.

      New accounts w/ new submissions - must get reviewed and approval before being added.

      Existing accounts w/ good standing - auto-approval.

      Existing accounts w/ good standing - auto-approval with random reviews to ensure compliance.

      FTFY

  • by peterww ( 6558522 ) on Thursday March 30, 2023 @02:55PM (#63412430)

    They need community moderation. For any Linux distro, you need to go through a series of steps before you can have a package accepted or modify a package.

    1. Do not allow packages to return in search results by default.
    2. For any brand new package, require an existing community member with approved packages review the package before it can be accepted.
    3. If a package is flagged as malware, pull it from search results and suspend the author's ability to publish anything, pending a review by moderators.
    4. If multiple packages are flagged, ban the user for a month.
    5. If any package is confirmed to be malware, ban the user for life. An appeals process allows requesting the ban be overturned if they can prove they didn't mean to push malware.

    This could be further enhanced by various means (captchas, confirming user identity via SMS, etc). But the point is to have humans in the loop, not allow just anyone to publish anything, and have a way to quickly identify and pause anything that seems like malware.

    • by tepples ( 727027 )

      For any Linux distro, you need to go through a series of steps before you can have a package accepted or modify a package.

      For example, in the case of Debian, getting a package in seems to require a key signing [debian.org], which involves traveling hundreds or kilometres or hundreds of miles to meet an experienced developer in person. Economic, geopolitical, or disability barriers may make this impractical. (I admit I may have misunderstood what I read on Debian's website about the relationship between a contributor and a sponsor.)

      2. For any brand new package, require an existing community member with approved packages review the package before it can be accepted.

      When a developer uploads a package, and the package gets no attention at all from other members, what recourse

    • by vux984 ( 928602 )

      Makes me think of the sci-fi story site that had to stop accepting submissions because of chat-gpt spam.

      "2. For any brand new package, require an existing community member with approved packages review the package before it can be accepted."

      Can we dump so much spam on it that 'human community members' can't possibly keep up?

      Why, yes. yes we can. Barely an inconvenience.

      "An appeals process allows requesting the ban be overturned if they can prove they didn't mean to push malware."

      The poor innocent victims, w

  • "a single README file that contains links to various malicious websites."

    Pretty sure that is not the definition of "SEO SPAM"

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...