Comment by m4r71n
2 months ago
Since so many vendors discovered these packages seemingly independently, you'd think that they would share those mechanisms with NPM itself so that those packages would never be published in the first place. But I guess that removes their ability to sell an "early alert" mechanism through their offerings...
NPM is owned by github/microsoft. I'm sure they could afford to buy one of these products or just build their own, but clearly security is not a thing they care about.
Somehow I didn't realize GitHub purchased npm in 2020. GitHub is the second word on npmjs.org. How did I not notice?
Microsoft: GitHub, NPM, typescript, VS Code, OpenAI, Playwright
A lot of fingers in a lot pies
2 replies →
Can't help noticing, in the original article:
> The entire attack design assumes Linux or macOS execution environments, checking for os.platform() === 'linux' || 'darwin'. It deliberately skips Windows systems
If I were the conspiracy-minded sort I might jump to some wild conclusions here.
Whoever made the exploit probably doesn’t use windows.
I’m using windows again. By default windows has “power shell” which is not at all like bash and is (how do I say this diplomatically)… wanting.
I mean it says something the developed the Linux Subsystem for Windows, but it’s an optional install.
5 replies →
Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR.
on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.
MS doesn't care
4 replies →