back to article Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers' NPM login tokens. The open-source utility eslint-scope was altered by hackers so that, when used to analyze source code, it would copy the contents of the user's ~/.npmrc file to …

  1. Anonymous Coward
    Anonymous Coward

    Running wasn't the issue

    Running the code wasn't issue. Anybody installing the package would have been affected and anybody not using a lock file would have automatically been upgraded to the infected package

  2. Cavehomme_

    King Canute

    This is yet another example of the scumbags winning the battle. Everything has an entry point and sooner or later they’ll exploit it. I can’t see highly secure, let alone fully secure software happening in many years even decades. Way too much sloppiness or human errors to stop it. Until there are laws and large fines and assurance certification for purveyors of software it will just get worse.

    1. phuzz Silver badge
      Trollface

      Re: King Canute

      The original spelling of Canute was Cnut.

      I'm sure someone can get a joke out of that.

  3. Anonymous Coward
    Anonymous Coward

    why the F

    And this is why using shitty cloud repositories for javascript libs is fucking stupid, just because your too fucking lazy to load it on your own site.

    Sites now need to fetch from 100's of bloody sites due to this type of shit..

    at least it gives me a way of easily making a block list of sites not to visit

    1. Michael Hutchinson

      Re: why the F

      Do you even know how the modern Web works? You really think sites fetch their JS directly from npm?

      You could make the same argument for _any_ dependency system, hell even the Debian user repo had malware in it recently.

  4. GnuTzu

    Habits

    Um, when your product and repo shows up in the news as a hacker victim more than once a year, maybe it's time to check the habits of your community.

    As a gatekeeper, I'm supposed to decide which repos our devs have access to and which don't--and this one is beginning to worry me. And, having tinkered with this one myself, I don't want to have to shut it out completely, but... Oh, this is seriously giving me the willies.

  5. Anonymous Coward
    Anonymous Coward

    Scratching my head...

    ... as to why code signing isn't employed here. It is that that is designed to stop exactly this.

  6. mgbrown

    Time to force two-factor authentication?

    "To mitigate this risk, we encourage every npmjs.com user to enable two-factor authentication, with which this morning’s incident would have been impossible."

    Surely it is time npm forced two-factor authentication rather than just encouraging it?

  7. Tom Paine

    mini-wince

    No biggy, but....

    ... possibly initiating a chain reaction of cyber-crime.

    I know what the intended meaning was - I think - but the phrase doesn't communicate it very well. Yeah I know, everyone's a critic,.. I'm just picturing a tabloid hack looking for stories to lift (or background) seeing the expression and getting altogether the wrong idea.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021