Submitted 1 year ago by abobla@lemm.ee to programming@programming.dev
https://www.cyber-oracle.com/p/roblox-game-devs-duped-by-malicious
The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like “noblox.js-vps,” “noblox.js-ssh,” and “noblox.js-secure,” and they were distributed across specific version ranges
Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?
You would have to really go out of your way to get infected by stuff like this.
Also, as far as I can tell, they’re talking about devs that are building on the Roblox platform, not devs that are building the platform.
In other words, random devs of varying skill levels getting name-squatted.
It’s not good, but including Roblox in the title is definitely misleading/clickbait.
It is a library to work with Roblox, saying Roblox isn’t misleading. I can agree that “Roblox devs” is misleading though.
That’s why we need script blockers by default.
colonial@lemmy.world 1 year ago
At some point,
npmsupply chain attacks are going to stop being news and start being “Tuesday.”… JS on the backend was a mistake.
noli@programming.dev 1 year ago
JS was a mistake.
kattenluik@feddit.nl 1 year ago
It wouldn’t have been if it kept to the original purpose of some simple tasks and such, but we can’t have nice things.
JackbyDev@programming.dev 1 year ago
Typo squatting is not unique to JS.
colonial@lemmy.world 1 year ago
True, but it’s uniquely bad in the JS world. Developers tend to rely on libraries in almost cartoonish excess.