Ledger's NPM account has been hacked

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Malware Security secure-software-supply-chain software-supply-chain-security package-manager

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
Our great sponsors

  • connect-kit

    • One of the comments on the github issue... https://github.com/LedgerHQ/connect-kit/issues/29

    "The @ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds.

    This looks like an extremely dangerous approach now, if I understand it correctly, connect-kit-loader trusts whatever the CDN throws at your dApps. So when connect-kit is comprised, all downstream dApps are automatically exposed."

  • LavaMoat

    tools for sandboxing your dependency graph

    • Just yesterday I watched a talk [0] at WarsawJS about LavaMoat [1], a set of tools to protect against malicious behaviour from npm dependencies. Guess it’s time to look into it deeper.

    [0]: https://naugtur.pl/pres3/lava/2023end.html

    [1]: https://github.com/LavaMoat/LavaMoat

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo

  • ledger

    Double-entry accounting system with a command-line reporting interface

    • I thought this was about https://github.com/ledger/ledger and was so confused why they'd be on NPM.

    Pretty shitty of them to pick the name LedgerHQ after Ledger has already been used for years.

  • birdcage

    Cross-platform embeddable sandboxing

    • Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.

    A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!

    In addition to this, we've released several open source tools to help protect against supply chain attacks:

    1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations

    2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)

    We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.

    https://docs.phylum.io/docs/integrations_overview

    It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.

  • cli

    Command line interface for the Phylum API (by phylum-dev)

    • Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.

    A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!

    In addition to this, we've released several open source tools to help protect against supply chain attacks:

    1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations

    2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)

    We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.

    https://docs.phylum.io/docs/integrations_overview

    It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.

  • cli

    the package manager for JavaScript (by npm)

    • This is the same NPM that made a change causing the `integrity` field to go silently missing from `package-lock.json` [0] when installing packages, and then also not complaining at any other time in the future.

    [0] https://github.com/npm/cli/issues/4460

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts