Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

NPM Package With 56K Downloads Caught Stealing WhatsApp Messages

⁨89⁩ ⁨likes⁩

Submitted ⁨⁨11⁩ ⁨hours⁩ ago⁩ by ⁨King@sh.itjust.works⁩ to ⁨technology@lemmy.world⁩

https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages

source

Comments

Sort:hotnewtop
  • magic_lobster_party@fedia.io ⁨8⁩ ⁨hours⁩ ago

    it's the kind of dependency developers install without a second thought

    I got a feeling this is an attack vector that will continue to grow, as now there’s vibe coding frameworks installing random dependencies without a thought at all.

    source
    • corsicanguppy@lemmy.ca ⁨6⁩ ⁨hours⁩ ago

      There’s twonthings at play, here:

      • installing dependencies without checking
      • a framework that will allow this

      Both are absolutely the fault of the user.

      source
  • tux0r@feddit.org ⁨9⁩ ⁨hours⁩ ago

    lol JavaScript

    source
    • wildbus8979@sh.itjust.works ⁨8⁩ ⁨hours⁩ ago

      This truly has grown past a JS problem. NPM was kind of the first time dependencies were installed by the project rather than through the OS. But nowadays this has become the norm, golang, rust, and to an extent python also work by installing dependies directly from git for the most part. This isn’t going to get any better unless with revert to OS based dependencies which noone wants to do because developers want the latest and greatest model.

      source
      • LedgeDrop@lemmy.zip ⁨7⁩ ⁨hours⁩ ago

        The way I see it, there are two problems with NPM:

        1. It can blindly run any shell command w/o the developers explicit permission.
        2. Anyone can make an NPM module, and the community is so fractured - common tools/features are not built into the language (or a standard library or a “vetted” community library - like boost for C++)

        The first issue might be solvable with things like WebAssembly. Then it’s the developer who gets to decide how far these pm-hooks will reach (both interns of filesystem, network, etc) on a per project basis.

        The second will need a shift in community mindset… and all these supply chain attacks are the fuel for that. Unfortunately, it needs to get worse before it’ll get better.

        source
        • -> View More Comments
      • muusemuuse@sh.itjust.works ⁨3⁩ ⁨hours⁩ ago

        Can’t they make dependencies something that get checked at launch time? The executable says “I have the following external dependencies pulled in. “ and then is a version is blacklisted, the executable should stop and throw an error saying exactly what component was blacklisted and stopped it from running.

        Why can’t we have executable declare their dependencies at launch time to the OS?

        source
        • -> View More Comments
      • PushButton@lemmy.world ⁨5⁩ ⁨hours⁩ ago

        Maven entered the room.

        source
        • -> View More Comments
      • tux0r@feddit.org ⁨7⁩ ⁨hours⁩ ago

        This isn’t going to get any better unless we revert to OS based dependencies which noone wants to do because developers want the latest and greatest model.

        A few operating systems (e.g. OpenBSD) do actually (try to) enforce using pkg for Perl dependencies, due to Perl being “system Perl” instead of “packaged Perl”.

        source
        • -> View More Comments
  • iAmTheTot@sh.itjust.works ⁨8⁩ ⁨hours⁩ ago

    For a layman, how might one deduce if they were affected? I cannot really tell from the article if this was particularly widespread.

    source
    • magic_lobster_party@fedia.io ⁨8⁩ ⁨hours⁩ ago

      If you haven’t logged in to your WhatsApp through any third party applications you should be fine.

      source
    • Deestan@lemmy.world ⁨8⁩ ⁨hours⁩ ago

      No way to know for sure based on this. If you used any app that “works with” WhatsApp in any way, you could be affected.

      source