GHSA-97m3-w2cp-4xx6
SecurityAdvisories
| GHSA-97m3-w2cp-4xx6 | SecurityAdvisories | |
|---|---|---|
| 13 | 6 | |
| - | 2,655 | |
| - | 0.8% | |
| - | 9.6 | |
| - | 3 days ago | |
| - | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-97m3-w2cp-4xx6
-
Selecting the Right Dependencies: A Comprehensive Practical Guide
How safe is it to use? It may sound like fiction, but yes, dependencies can be dangerous. For example, an interesting feature was added to a library with 500k downloads: it tries to replace all files on the computer with ❤️ if your IP address falls within a specific range.
- Embedded Malicious Code in node-ipc
- Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers
-
With the recent scandal over the 'node-ipc' package, is Composer also vulnerable like this? Is there any security measure in the Composer to prevent this type of attack?
Source: CVE-2022-23812
- CVE-2022-23812 - mbedded Malicious Code in node-ipc - The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files on Russian systems
- My entire PC got wiped Do not download
- NPM supply chain attack - Wipes your disk if you have a Russian/Byelorussian IP
-
Ukraine Invasion Megathread #3
I have not audited the malicious code myself, so you might be right, I'm going by the CVE reports that say it does this to arbitrary files.
SecurityAdvisories
-
Preventing Installing Composer Dependencies with Known Security Vulnerabilities
To reduce the chance of introducing vulnerable dependencies into your projects, you can use tools such as "Roave Security Advisories" (roave/security-advisories).
- With the recent scandal over the 'node-ipc' package, is Composer also vulnerable like this? Is there any security measure in the Composer to prevent this type of attack?
- Open source is not a place for politics
-
Composer conflict, how can we use it?
In order to avoid accepting third-party code with well-known security issues you can take advantage of SecurityAdvisories by Roave, a library which uses conflict as shown in this article to block unsafe packages. Give it a look!
-
PHP libraries and tools
roave/security-advisories: Security advisories as a simple composer exclusion list, updated daily
-
Laravel QR Code Generator Infected with Malware
Every composer user should use at least https://github.com/Roave/SecurityAdvisories
What are some alternatives?
es5-ext - ECMAScript extensions (with respect to upcoming ECMAScript features)
local-php-security-checker - PHP security vulnerabilities checker
peacenotwar - Attempts to determine if the computer its running on has an IP originating from Russia or Belarus. If it is then depending on the version of the malware either attempts to delete all files on the computer, or creates a text file on the computers desktop protesting the war in ukraine.
enlightn - Your performance & security consultant, an artisan command away.
node-ipc - A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning.
PHPStan - PHP Static Analysis Tool - discover bugs in your code without running it!
Symfony - The Symfony PHP framework
ruby-advisory-db - A database of vulnerable Ruby Gems
Deptrac - Keep your architecture clean.
Serializer - Library for (de-)serializing data of any complexity (supports JSON, and XML)
GrumPHP - A PHP code-quality tool
captainhook - CaptainHook is a very flexible git hook manager for software developers that makes sharing git hooks with your team a breeze.