I know I’m old because I saw 56k and immediately wondered why they were doing this over dialup.
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
Submitted 3 weeks ago by King@sh.itjust.works to technology@lemmy.world
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
Comments
chronicledmonocle@lemmy.world 2 weeks ago
Holytimes@sh.itjust.works 2 weeks ago
Im 34 and had this same thought… ): I dun wanna be old yet
tux0r@feddit.org 3 weeks ago
lol JavaScript
wildbus8979@sh.itjust.works 3 weeks ago
This truly has grown past a JS problem. NPM was kind of the first time dependencies were installed by the project rather than through the OS. But nowadays this has become the norm, golang, rust, and to an extent python also work by installing dependies directly from git for the most part. This isn’t going to get any better unless with revert to OS based dependencies which noone wants to do because developers want the latest and greatest model.
LedgeDrop@lemmy.zip 3 weeks ago
The way I see it, there are two problems with NPM:
- It can blindly run any shell command w/o the developers explicit permission.
- Anyone can make an NPM module, and the community is so fractured - common tools/features are not built into the language (or a standard library or a “vetted” community library - like boost for C++)
The first issue might be solvable with things like WebAssembly. Then it’s the developer who gets to decide how far these pm-hooks will reach (both interns of filesystem, network, etc) on a per project basis.
The second will need a shift in community mindset… and all these supply chain attacks are the fuel for that. Unfortunately, it needs to get worse before it’ll get better.
Venator@lemmy.nz 2 weeks ago
noone wants to do because developers want the latest and greatest model.
That’s not true at all, the OS doesn’t have, and shouldn’t have, everything that a package has…
The alternative isn’t for the OS to do it: its to implement everything yourself… Speaking previous from experience working at a company that did exactly that… It has its own set of problems… But it is at least secure 😅
muusemuuse@sh.itjust.works 2 weeks ago
Can’t they make dependencies something that get checked at launch time? The executable says “I have the following external dependencies pulled in. “ and then is a version is blacklisted, the executable should stop and throw an error saying exactly what component was blacklisted and stopped it from running.
Why can’t we have executable declare their dependencies at launch time to the OS?
tux0r@feddit.org 2 weeks ago
This isn’t going to get any better unless we revert to OS based dependencies which noone wants to do because developers want the latest and greatest model.
A few operating systems (e.g. OpenBSD) do actually (try to) enforce using
pkgfor Perl dependencies, due to Perl being “system Perl” instead of “packaged Perl”.
rollerbang@lemmy.world 2 weeks ago
I’ve got to research how can I do individual sandbox/jail for projects that are opened using VSC.
iAmTheTot@sh.itjust.works 3 weeks ago
For a layman, how might one deduce if they were affected? I cannot really tell from the article if this was particularly widespread.
magic_lobster_party@fedia.io 3 weeks ago
If you haven’t logged in to your WhatsApp through any third party applications you should be fine.
Deestan@lemmy.world 3 weeks ago
No way to know for sure based on this. If you used any app that “works with” WhatsApp in any way, you could be affected.
magic_lobster_party@fedia.io 3 weeks ago
I got a feeling this is an attack vector that will continue to grow, as now there’s vibe coding frameworks installing random dependencies without a thought at all.
corsicanguppy@lemmy.ca 2 weeks ago
There’s twonthings at play, here:
Both are absolutely the fault of the user.