back to article NPM packages disguised as Roblox API code caught carrying ransomware

Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper. The two poisoned libraries – ​​noblox.js-proxy and noblox.js - …

  1. veti Silver badge

    Why does "low barriers" have to mean "no screening"?

    Surely most contributors would be OK with a delay before their code was published, while it gets screened for known malware

    1. whitepines
      Coat

      Indeed. I remember a time when you had to convince the developers that your code was good enough for their project.

      Uphill. Both ways. In the snow, lugging a 300 baud portable terminal.

      I'll get me coat...

      1. TimMaher Silver badge
        Pint

        Re: I'll get me coat...

        ... except you won’t. At least not until you pay me as I‘ve hidden your cloakroom ticket.

        The ransom is an icon———>

    2. badflorist

      Because the learning curve of Javascript has the lowest barrier of all languages, so contributions will naturally be overly abundant The accessibility of Javascript is uncanny. You can use any web browser to write Javascript using the browser's dev tools, I know of no other language that accessible.

      The odd thing about Javascript is that as it evolves it becomes easier to use and more standardized but, strangely people find it more and more difficult to write themselves. And again there, I know of no other language that exhibits this uptake of delusional behavior.

      While you might not be in it, Javascript has by far the largest estranged clique of developers that blindly run into walls that are self constructed.

      1. veti Silver badge

        Why does that mean the code can't be screened for malware?

  2. Pascal Monett Silver badge

    So the issues are down to a lack of control

    I can therefor create a package called noblox.js.jackpotnow and nobody is going to bat an eyelid until somebody actually wonders why that exists.

    Somehow that does not strike me as "anyone can contribute", so much as "anyone can fuck it up".

    I've got a feeling that the ease-of-contribution culture is going to get a healthy dose of reality check in the coming years. It's not because it's open source that it has to be a free-for-all. I'm sure developers are going to welcome a bit of verification if it means that their code can be kept from the dregs of the Intarwubs.

    After all, what's the real cost of having to sign in to a project before being able to contribute ? It's just a few emails and an identifier for your contributions.

    Identifier that can be banned if you screw up, of course.

    1. veti Silver badge

      Re: So the issues are down to a lack of control

      I'm inclined to agree. I've published game mods myself, and for me that included signing in. And yes, there was a delay while the code was screened before it was published.

      But that wasn't Roblox. The target market for that platform is schoolkids. I can believe they view things differently. The question is, whether a slightly higher hurdle would discourage people who might otherwise go on to make valuable contributions. My instincts say probably not, but they also say the publisher probably has better data on that question than I do.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021