Embedded malware in RC (NPM package)

• GHSA-g2q5-5433-rhrf

  4 - -

• rfcs

  35 718 5.7 JavaScript

  Public change requests/proposals & ideation (by npm)

  

If you're interested in preventing this sort of thing, I'd appreciate comments on this [RFC](https://github.com/npm/rfcs/pull/488) I just submitted to npm to make install scripts opt-in instead of default behavior. While of course not perfect, this simple change would certainly go a long way in increasing the difficulty in creating these sorts of attacks, as right now as long as a computer even installs the packages in question, not even running any code in the package, the malicious program has a chance at running.

RFC: https://github.com/npm/rfcs/pull/488

Related HN post: https://news.ycombinator.com/item?id=29122473

• SurveyJS

  surveyjs.io featured

  Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  

• cobra

  129 36,166 7.8 Go

  A Commander for modern Go CLI interactions

Ok, now, what languages beside Python and Go provide Command line argument parsing? And Go doesn't do that in a `professional` way. You either write your own, which can easily turn into a clusterfuck or use a third party library. Even in Go, people use cobra[1]. Also embedding a lot of functionality in a standard library isn't great as well, because if some vulnerability is found, it's really hard to patch it, because you need to push versions and (for example on Linux) some distro maintainers won't push it for `stability` etc. A standard library should provide basic functionality (in most general areas), but not very advanced one.

[1] https://github.com/spf13/cobra

• Swift Argument Parser

  4 3,215 7.4 Swift

  Straightforward, type-safe argument parsing for Swift

  

It's not part of the standard library, but Swift has the first-party ArgumentParser[0]. Other languages could use a similar model (though what "first party" means for JavaScript is unclear).

[0]: https://github.com/apple/swift-argument-parser

• warehouse

  276 3,474 9.7 Python

  The Python Package Index

  

> Note how the referenced Virustotal result has 40+ detections. I'm still wondering why info like this isn't used by Pypi and NPM.

I was contracted to help build a malware analysis pipeline for PyPI[1][2]. We don't currently have a VirusTotal detector/analyzer (IIRC, we couldn't get a high-enough volume API token on short order), but I think any work towards that would be greatly appreciated by both the PyPA members and the Python packaging community!

[1]: https://pyfound.blogspot.com/2018/12/upcoming-pypi-improveme...

[2]: https://github.com/pypa/warehouse/tree/main/warehouse/malwar...

• vouch

  10 17 0.0 Rust

  A multi-ecosystem package code review system. (by vouch-dev)

  

I've created Vouch in an attempt to address this problem:

https://github.com/vouch-dev/vouch

Vouch lets users create and share reviews for NPM packages. Project dependencies can then be checked against those reviews.

Vouch uses extensions to interface with package ecosystems. It's simple to create a new extension. Extensions currently exist for NPM, PyPi, and Ansible Galaxy.

I'm currently working on a website to index known reviews and publish official reviews.

I hope you guys find it useful! Drop by the Matrix channel if you have any feedback to share: #vouch:matrix.org

• SES-shim

  13 736 9.9 JavaScript

  Endo is a distributed secure JavaScript sandbox, based on SES

  

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

Suggest a related project