Comment by vb-8448
2 years ago
I wonder what is the long term plan.
Maybe the next step is to sell the control of all these packages to a rogue entity to be used for a supply chain attack?
2 years ago
I wonder what is the long term plan.
Maybe the next step is to sell the control of all these packages to a rogue entity to be used for a supply chain attack?
Would you be at all surprised? I'm fairly confident that like with browser addons, NPM package maintainers get offers from randoms to 'buy' their package in order to get backdoor access.
A secured registry is long overdue, where every release gets an audit report verifying the code and authorship of a new release. It won't be nearly as fast as regular NPM package development but that's a good thing, this is intended for LTS versions for use in long-term software. It'd be a path to monetization as well, as the entities using a service like this is enterprise softare and both the author(s) of the package as the party doing the audit report would get a share.
> A secured registry is long overdue, where every release gets an audit report verifying the code and authorship of a new release.
Microsoft did exactly that (since they own both NPM and Github) by allowing you to verify the provenance of NPM packages built using Github Actions [1]. It's not required for all packages though. They've also started requiring all "high impact" packages to use two factor authentication [2].
[1] https://github.blog/security/supply-chain-security/introduci...
[2] https://github.blog/changelog/2022-11-01-high-impact-package...
> Would you be at all surprised
Actually no, I just wonder why no one takes seriously these types of risks.
Supply chain attacks are a thing nowadays, but no one really cares, 6 months ago we had the xz attack but basically no one remember about it today.
Who says there is one? It takes basically zero effort to publish these packages, so why not do it? Script kiddie stuff. Lots of people run dumb unsuccessful hustles. The long term plan seems to be macaroni. That is: throw enough macaroni at a wall and hopefully some of it will stick. Or maybe not. Who cares? Wasn't my macaroni and I won't have to clean the wall.
But who would use those spam packages in their project? Don't don't do anything.
I don't know if they managed to fix it in recent years, but JS dependencies management used to be broken. I think the left-pad[0] incident is the most known one, but not the unique one. My guess is that you spam enough, at some point in time one of the packages will go viral.
[0] https://en.wikipedia.org/wiki/Npm_left-pad_incident
This was fixed years ago, and of course people then complained about not being able to remove their packages [1].
[1] https://news.ycombinator.com/item?id=38874874
Ban the root cause (funny token money). While incentive exists it will find a way.