back to article Someone may be prepping an NPM crypto-mining spree

A burst of almost 1,300 JavaScript packages automatically created on NPM via more than 1,000 user accounts could be the initial step in a major crypto-mining campaign, according to researchers at Checkmarx. The creation of 1,283 packages and 1,027 users accounts seems to be the work of someone experimenting with what they …

  1. b0llchit Silver badge

    Sewage supply

    NPM: No Proper Management

    You know the infrastructure spews garbage when it is unmaintained or unmaintainable, regardless whether it is IT or the drain.

  2. Potemkine! Silver badge

    Developers using external libraries/packages/whatever without proper checking bear a part of the responsibility if something nasty happens.

  3. DJV Silver badge

    Reinventing the wheel

    There's always been this thing about "not reinventing the wheel" but it's becoming obvious that inventing your own wheel does mean that you retain full control over how many spokes your wheel has and exactly what each of those spokes in your wheel does. Relying on randomly updated external sources for your wheels means that you are not likely to notice when that extra spoke goes very, very bad.

    1. Anonymous Coward
      Anonymous Coward

      Re: Reinventing the wheel

      ...said a spokesperson!

      1. John Brown (no body) Silver badge

        Re: Reinventing the wheel

        That was a wheely bad pun. I feel a little deflated now.

  4. Ken Hagan Gold badge

    NPM is astonishing

    NPM is the ActiveX of our time. Both result in victims running code on their computers without any control over provenance. It is astonishing that people are still willing to make this mistake.

    1. breakfast Silver badge

      Re: NPM is astonishing

      NPM is the Visual Basic of our time - it gives you a huge amount of tools and components that allow you to pull together something that looks impressive and works well in a minimal amount of time. Unfortunately the ecosystem does lean shonky and a lot of the packages end up needlessly fat because they incorporate a huge number of small modules that do relatively simple things. That's the trade-off, and whether it matters to you or not is very much down to what you value as a developer. Often quick results that work consistently are worth more than a slimmed down and efficient library, even though the latter is far more satisfying as a developer and less wasteful.

      The Javascript security model is far more effective than ActiveX ever was and running code in a working sandbox rather than the "can basically do what it wants on your PC" model of ActiveX is a very different degree of access, but it can absolutely use your system resources to do whatever it feels like within that sandbox and keeping users safe from that is part of our duty as developers. NPM does not make that easy.

  5. John D'oh!

    I always felt that the correct approach was to develop your own libraries, either personally or as part of a larger organisation. Just reusing code from some random guy on the Internet is just inviting disaster.

    FFS wasn't there a library that just leftpads a number with 0s or something that hosed loads of people's apps when the author had a hissy fit recently? It seems to me that it would take no more effort to write that function than it would to search for it and include it in your build.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like