steal-ur-stuff
event-stream
steal-ur-stuff | event-stream | |
---|---|---|
8 | 5 | |
21 | 2,157 | |
- | - | |
0.0 | 0.0 | |
almost 7 years ago | over 5 years ago | |
JavaScript | ||
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
steal-ur-stuff
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff
It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724
-
I wish more developers understood the constant stream of malware that is posted to npm
postinstall malware I reported almost 7 years ago with npm - that it can run any arbitrary script locally or remotely.
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
I should really get around to how I discovered this 6 years ago and still nothing done about it
-
Attackers are hiding malware in minified packages distributed to NPM
Whenever something like this comes up I usually have to tap the sign (and the original report)
-
npm package to upload your private ssh keys to a pastebin
Ahh this old one - I wrote a similar package a while back as a proof of concept that npx is a bad idea 5 years ago - the developer at npm at the time told me it wasn't a problem.
-
A pastebin-like platform where you can easily paste code and import it as a module in our NPM projects
Please don't do this and never make it an actual dependency.
-
Researcher hacks over 35 tech firms by creating public NPM packages
Not only that it can run arbitrary code contained in a Gist and I showed this 4 years ago https://github.com/tanepiper/steal-ur-stuff
-
Getting rid of NPM scripts
[3] https://github.com/tanepiper/steal-ur-stuff
event-stream
-
I gave commit rights to someone I didn't know
Another possible outcome of "I gave commit rights to someone I didn't know": https://github.com/dominictarr/event-stream/issues/116
- Looking for open source Python lite wallet or Payment Processor with unified API for BTC, LTC, ETH, XMR, maybe others
-
What NPM Should Do Today to Stop a New Colors Attack Tomorrow
Whole npm ecosystem is so fragile.
Remember event-stream[1]? Did we learned something from that? Yes, we might. So was it improved? Never. People are still installing 'new' colors package and wondering why its texts are broken.
What if he uploaded malicious code rather than just just gibberish?
[1]: https://github.com/dominictarr/event-stream/issues/116
- NPM Audit: Broken by Design
-
Researcher hacks over 35 tech firms by creating public NPM packages
foo-bar version 1.0 depends on bada-boom 1.0 which depends on bada-bing 1.0. Now you update to foo-bar 1.1 because of some critical update, which in itself now depends on bada-boom 2.0 and bada-bing 2.0. But unbeknownst to you and the author of foo-bar, the bada-boom and bada-bing project was taken over by another maintainer who made an update, but also added some trojan horse code to specifically attack certain users, which was obfuscated and remained undetected. Which has happened before - not just browser extensions are affected by malicious attackers taking over useful projects.
What are some alternatives?
cli - Command line interface for the Phylum API
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert
actual-malware - Useful library dependency
cli - the package manager for JavaScript
asdf - Extendable version manager with support for Ruby, Node.js, Elixir, Erlang & more
pkg-vuln-collab-space - Project for work on improved Package Vulnerability Management & Reporting
npm
proposal-built-in-modules
HomeBrew - 🍺 The missing package manager for macOS (or Linux)
django-money - Money fields for Django forms and models.
project
colors.js - get colors in your node.js console