Npm Team Warns of New 'Binary Planting' Bug (zdnet.com) 17
The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.
Package manager? Librairies? (Score:2, Insightful)
The more you rely on others to do your job, the more you open yourself to such risks.
Re: (Score:3, Insightful)
Re: (Score:3)
It's the same as standards--any attempt to create a unifying package manager just adds another package manager to the pile. https://xkcd.com/927/ [xkcd.com]
Re: (Score:2)
The whole idea of using a package manager for your code is beyond stupid. What happens to all of these apps if/when NPM shuts down? What happens if/when they have an update that breaks the existing API? You should ship your dependencies with your code.
thanks for the advice (Score:3)
Re: (Score:2)
The whole idea of using a package manager for your code is beyond stupid. What happens to all of these apps if/when NPM shuts down? What happens if/when they have an update that breaks the existing API? You should ship your dependencies with your code.
Yeah, but then tracking versions and security in the dependency chain is a chore so you automate that, sharing the code and database with other projects because why try to reinvent...
it's because none of them used to have them (Score:2)
Re: (Score:2)
> Such risks
That word "such" will kill you. You're almost infinitely better off using division of labor to let others push you security updates than to track the source of every piece of software you use.
In a complex enough system you will run out of time doing your own security such that vulnerabilities will outpace you. It's the total system security that is ultimately important, not just one package.
Of course npm should check signatures and be properly isolated on the system that uses it, but one pr
Security? Convenience? (Score:3)
This is just the classic conundrum writ large. It's so convenient to have useful libraries just a command away. And I love having that, as it's required these days to hit deadlines. But anyone who thinks the practice of downloading random code of dubious provenance is not reducing the security of the resulting systems is deluding themselves. The sad thing is that as long as there's even one clever jackass who "just wants to do it for the lolz", these systems will be at risk. How to fix it? Build better people I guess. Until then, scan, scan, and scan some more; keep thinking up new defenses; stick to oft-used packages when you use this stuff.
Easy prey (Score:5, Insightful)
This might be the grumpy admin in me talking. And I must disclaim that I also know very smart and diligent devs who use node.js.
However from what I've seen of typical node.js "developers", the level of concern for what is actually going on with the machine is very low. It's more a matter of cobbling up whatever plugins and frameworks need to be duct-taped together (including node.js itself) to get whatever youtube tutorial they've been watching to produce their expected output. They'll do all of this with liberal use of sudo (or even sudo su -) in some poor VM (or docker container), trying stuff until it works without any real understanding of what's going on, then call it a day and tell the client that everything is ready for production.
So yeah, once you've run out of grandmas running windows XP to exploit, node packages are an excellent vector towards people who have very little concern for security.
Re: (Score:3)
The community around Javascript is full of neophytes trying to prove their precious embryo of a language is comparable to Perl, Python, Ruby, PHP, Lua, etc. They do everything with a clean room mentality, refusing to taint themselves with knowledge gained from similar experiences in other languages.
citation needed (Score:2)
Re: (Score:2)
The entire concept of NPM is a giant supply chain exploit waiting to happen.
no (Score:2)
which language do you think has just good devs (Score:2)
How can I trust anything? (Score:3)