SSH keys stolen by stream of malicious PyPI and NPM packages
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Coding #Information_Stealer #Information_stealing_malware #npm #Package_Manager #Packages #PyPI #Repository #virus_removal #malware_removal #computer_help #technical_support
Is anyone else having issues with installing #NPM packages inside the official node:18 #Docker container?
Every install fails with "network request to https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-4.0.2.tgz failed, reason: socket hang up", and it's always another package. 😓
NPM status is all green?!
In today's #NixOS live coding video I demonstrate:
* How to use naersk and crane to build #Rust projects
Red teams and adversaries alike are using software supply chain attacks as a way to gain access to even the most prepared organizations. Today, we discuss several #malicious #npm packages successfully targeting a large financial institution. Is this an adversarial simulation or a legitimate threat? Read on to find out.
Wrote a quite lengthy article on building an Event Based, cross platform, context/state management system with #vanillajs , utilizing what the platform already provides.
Really think this pattern could ease a lot of developers https://matsu.fi/blog/event-based-state/
The video for my #PackagingCon2023 talk is now up on youtube!
I blurted out a bunch of stuff about the kind of work I've done speeding up #NPM and #Orogene, in hopes that it would help some poor soul out there. It's kind of a high-level overview, but it talks about a lot of different things. It's also the first talk I've given in YEARS.
Check it out if you're interested! https://www.youtube.com/watch?v=eh3VME3opnE&list=PLl386dCR5QGTElF3MbltCJupNG1lHK4Nr
Hoping to spare others a headache. If your project...
(a.) uses pnpm
(b.) uses `npm-run-all`
(c.) has a `package.json` with a `config` object and a `name` item
... you’ll have bugs with any scripts using `npm-run-all`. (https://github.com/mysticatea/npm-run-all/issues/249)
Until this bug is fixed:
(1.) Remove the `name` item.
(2.) Remove the `config` object.
(3.) Use `concurrently` for parallel stuff **or** the old `&&` thingy for sequential stuff. (My recommendation.)
What constitutes "malicious use" is drifting WAY into the normal use operating envelope.
To save money (hiding behind safety)?
All you need is `entr` (file observer) and `bun` (TS compiler) and `sass` (Dart Sass).
Watch mode works too. And it's hyper fast. I will hopefully write a short article about it soon. NPM is such a bloated and complex environment, I really don't like it.
#opensource #gnu_linux #webdevelopment #KISS
you can use systemd-nspawn to create a container that uses your own root filesystem by specifying --directory=/ --volatile=yes. This mounts a tmpfs into the container’s root, and then mounts your /usr into the container’s /usr in read–only mode. This allows the container to run all the software installed on your machine, while redirecting writes to the tmpfs.
Alternatively, instead of --directory=/ you could specify some other directory that contains an OS image (such as --directory=/var/lib/machines/debian-bookworm or --directory=/var/lib/machines/fedora-38). Multiple containers can transparently share the same image, since all the writes go to a per–container tmpfs
When it is volatile, it really only mounts the /usr inside the specified directory, rather than the directory itself. In particular, /dev and /etc will be empty.
. Statically linking your application, then distributing that application, such as via Docker Hub to others will then require your application to be #GPL licensed in many, many cases within the Linux ecosystem. This may not be desired.
#python #docker #nix #npm
Why doesn't #npm resolve package versions that are compatible with current node version?
I'm trying to copy this module, and make a small astro npm module. But I'm realizing that there's no type safety for modules created this way. There's also no way to build a d.ts file because of the astro import. Does anyone have a way to generate types for a astro module?
Also posted on the Astro discord:
Czy na pewno wszyscy dobrze korzystamy z NPM, czyli menedżera pakietów Node.js? Ten artykuł być może niektórym uświadomi, że czasem można robić pewne rzeczy nieco inaczej.
After spending a good part of last 4 months trying to upkeep a simplistic npm based project (static site generator using eleventy) i am this close to declaring npm ecosystem as a strict NO-GO ecosystem for myself. I think i would sleep more peacefully with less npm based softwares in my list of software i use. but its getting increasingly difficult to find non npm based software solutions now a days.
On one side ~500 packages and not everyone wants to or can move fast forward, and such complex dependency trees make me nervous about using such softwares in any capacity.
On other side packages which are over eager to share features with users and do new release every week makes me nervous of a different kind.
Yes NPM, I actually want zero factor authentication… the account was made by mistake (accidentally logged into the wrong NPM instance)… get rid of it! Stop hassling me about it!
> Hi, stuartl!
> It looks like you still do not have two-factor authentication (2FA) enabled on your npm account.
Protestware taps npm to call out wars in Ukraine, Gaza
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed.
Pulse ID: 65577343e96a6fbc131bc152
Pulse Link: https://otx.alienvault.com/pulse/65577343e96a6fbc131bc152
Pulse Author: AlienVault
Created: 2023-11-17 14:05:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#vscode does not report any errors and ‘ #npm run start’ also has 0 errors. #reasonml #emacs
👉 proposal for new release schedule / users are not interested in releases that will not become #LTS
👉 doc: add codenames through to Node.js 34 (2030)
👉 Plans for #npm 10
👉 Release plan - v20.x Active #LTS
👉 Release plan - v18.x #Maintenance #LTS
The 2000 line framework challenge: How to template JSON or APIs in 3 lines of component code + 1 extra 2k file
Web Component based, & no NPM, node_modules, building, or terminal usage needed
clearly, putting node and non-node packages in #npm was a huge mistake
we really need an npm without n
My chat with #npm today:
- You have 8 vulnerabilities
- Ok, then npm audit fix --force !
- I'm done. You now have 131 vulnerabilities.
- Hmmm... okay... npm audit fix --force again, maybe?
- I'm done. You now have 8 vulnerabilities.
If you want to make a #crossplatform #app, and you don't know what's framework should I use?
Just use #Tauri and don't waste your time on #electronjs, #flatten or other stuff.
Tauri is light and too easy.
Check out the Tauri site:
See what #npm packages your project is no longer using with this one-liner:
npx npm-check | grep -i 'notused?' | rev | cut -d'?' -f2 | cut -d' ' -f1 | rev
(Treat the list as a hint: npm-check isn’t capable of detecting all possible usages of all packages, so there might be false positives.)
#node version: 20.9.0 & #npm is 10.1.0. Tried installing #svelte with npm for comparison & got a similar error, so it's a local issue? When using "npm install" to install #11ty it works with no issues.
Could anyone point me to a direction how to fix this? I'm not very familiar with debugging these kind of things...
Just wasted a fair bit of time on an issue this would have avoided, bundlers and browsers all support ES Modules these days, and I would very much like to take small steps toward making CommonJS go away.
💥 New episode of The Changelog!
ANTHOLOGY from @allthingsopen 2023! Featuring:
🌟 @sudomateo (former Engineer at #HashiCorp working on #Terraform Enterprise)
🌟 Nithya Ruff (Head of the #OSPO at #Amazon)
“ […] what we’re trying to do here is kind of crazy. We want to:
* Download code
* from the internet
* written by unknown individuals
* that we haven’t read
* that we execute
* with full permissions
* on our laptops and servers
* where we keep our most important data
This is what we’re doing every day when we use npm install. It’s a miracle that this system works—and that it’s continued to mostly work for this long!”
Advertisish but interesting:
Just put together a rant on JS modularity here
1. Don't use "-g" when running npm install
2. Add npm .bin to $PATH. e.g.
docker run ....
node:current /bin/dash -c 'PATH=/home/node/app/node_modules/.bin:$PATH $0 "$@"' "$@"
A fun weekend project - simplifying my #TypeScript #NPM library build process down to the bare minimum. https://tedspence.com/improving-on-typescript-package-build-processes-cc0af64849e0
> You can't get faster than No Build
Arguably optimizing for 0-dependencies packages is kinda wrong in some cases, because if you use 100 packages, each with 0 dependencies, then most likely there is going to be a decent amount of code duplication in there, and the packages won't necessarily work well together.
is it malware if the #npm package name tells you it’s stealing /etc/passwd?
➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking #Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt
📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
I’m right now primarily focusing on my own projects but happy to share my experience with others + never wrong to refill the wallet a bit.
LOL another supply chain attack in #NPM using postinstall scripts - an issue I REPORTED TO NPM OVER 6 YEARS AGO BUT THE CLOSED AS WONTFIX
(The POC I wrote to prove it - https://github.com/tanepiper/steal-ur-stuff)
Bundlephobia has been great, but (1) the maintainer has been asking for support for a while without success, and (2) the service has unfortunately become unreliable, probably as a result.
This is actually a pretty awesome (but lengthy) post about Bun and why you probably shouldn't jump on the train already.
Bun hype. How we learned nothing from Yarn
When running "npm run dev" it cannot find the "astro" command. When installing it with #yarn everything works fine and as expected (no error during dependency install). 🤷♂️