A story about how I live via meltdown on your phones using npm

Preface from the translator

Until you get to the content of the article, I advise you to postpone it, look away from the monitor, and think about how this happens. As always, everything ingenious is simple. The answer is on the surface. Thought? Then read on.

Well, here's the correct answer. No It's a lie. Just as a lie is the title and content of the recently translated article “A story about how I steal credit card numbers and passwords from visitors to your sites . ”

It seemed obvious to me that it was a kind of small fantasy with a slight hint of security awareness, but it seems that very many people took it seriously, and it is unpleasant for me to see again how from the npm community they make whipping pears without understanding the context - just like there was, for example, after the excellent article “Node.js is a cancerous tumor”, or a piece of Ryan’s interview from the interview about what he now likes to Go.

I don’t know, intentionally or accidentally, but the author wrote a fantasy on the HYIP theme, which many took for good coin. I know that arguing with the translation is rather silly, but this translation is knocking on me through all the channels. So I will answer him with another translation. Go.
')

Safety scares npm? Do not panic!

So are you also in a panic about the safety of npm because of recent posts? Especially because of this: “A story about how I steal credit card numbers and passwords from visitors to your sites . ” Well what I want to tell you. At best, it's a trolling post. Let's tell you why. Why is it stupid, incorrect, puts npmjs in a bad light and raises panic from scratch.

At the beginning of the text, the author describes his scary javascript code that can be embedded on the site so that he steals data. The author understands that in order to get other people's data, you need to spread your code to other sites. He chooses npm for this. Nothing new and amazing. Anyone can launch a Trojan anywhere - in npmjs, the python registry, and so on.

However, the fact that your package is published somewhere does not mean anything - just like, for example, if you made a website that people don’t visit. So the question further arises - how to implement a trojan using the site owners themselves? The author understands that this is the main problem, and solves it by creating a pool of requests on github, where he adds his package to the project dependencies.

That's all.
That's the whole hack.
All the content of the text comes down to this idea. No magic
No remote code execution on npmjs servers.
No remote exploits.
Neither meltdown or zero day vulnerabilities.
No call in support of npmjs and 2600hz whispers in the eye of support.

Let me repeat again

The author was able to spread his Trojan, convincing developers to use it as a dependency. It's amazing. Let me sit down, relax, and we look at this innovative vector of attack.

Without a doubt, to turn this trick on, the author should be endowed with simply amazing skills of social engineering, so I can only retreat and recommend him a couple of plans:

• Consider a career in sales or investment, as the author has perfected his skill in brief presentations .
• Talk with Kevin Mitnick and commit robbery of the century.

What side is npm here? Honestly, I have no idea. I don’t understand at all why anyone is panicking in our Javascript community. Why did npm scapegoat? The problem is not in it. Rather, they certainly have their own problems, but they are in no way connected with this story.

Translator's note: here I have put down not entirely successful analogies and an explanation on my fingers, why half the story about password theft is a bullshit.

Do we understand that we work in open source?

Now I'm talking about all of us - do you understand that you work in the opensource community? And what does that mean? Open source postren on trust. On the community, on communications, these are the core values ​​that make the community incredible, and for which I love it.

Can there be vulnerabilities in an open source project? Yes.
Can there be a performance problem in an open source project, because of which someone will lose millions in the new year? Yes.

Eric Raymond beautifully described the situation when open source vulnerability was discussed: “the more eyes, the fewer bugs” - or, more formally, “with enough beta testers and employees, almost any problem will be quickly detected and will be obvious to someone” .

When you take open source, you take the risks that it brings. Whether it is bad, malicious or abandoned code. So accept this responsibility. You should check the packages that you install with npm - npm is just a service code delivery link.

Epilogue

I understand that that post was a parody, but the reaction and comments showed that people took it too seriously - even panic. And I must honestly say that I was very upset by the impact this article had on npm and security issues in general.

I myself am actively involved in computer security, participate in the Node.JS OWASP project, talk about security in Node.JS at international conferences, and so on. Why am I talking about this now? To show that I am only for raising awareness of the dangers of web applications. But I’m sad to see a whipping pear made out of npm and the community for no reason at all.

I do not personally know David Gilbertson, the author of the original article, but I treat him with all respect, and I am sure that he had no bad intentions, and his story is pure fiction. However, I believe that we can believe a little more in the intellect of the readers and tell them about the dangers without such horror stories. Instead of panic, it is better to constructively discuss how we can improve something.

Afterword from the translator

Besides the analogs mentioned by the author npm in other languages, there is also maven, nuget, composer, there are thousands of frameworks with their own plugins and themes, and so on (if you are interested, I can tell you how the malicious code appeared in my wordpress plugin wp-invites, for example) . In the end, there is a githabs, from which you can directly put packages in a bunch of languages ​​- however, no one does not blame the githab for publishing malicious code!

And for some reason kicks get npm. And just stupid and meaningless kicks without any morality, conclusions and suggestions. Also because of the fictional story. I, like the author of the original article, do not want to say that everything is fine and that there is no cause for concern. Everything is broken. Even our damn processors.

But do not make senseless panic. You can fix something right now. Or write a tool for finding backdoors in the npm packages (one more). Or at least report a bug. Or throw off the donation to the developer. Or implement loki and review packages in your company. And you can whine about the terrible npm. The choice is yours.