1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
I just noticed “foreach” on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control “foreach” on NPM, and the 36826 projects that depend on it.
@wolf480pl Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can’t trust NPM.
@lrvick if only all people seeking world domination were like you
@technicallypossible @wolf480pl I don’t recommend trusting me… or any single individual, with this kind of power.
If someone asks me nicely with a rubber hose, I will be obliged to hand over access.
There is a reason the name of my company is “Distrust”
Distrust should lead to Distributed Trust.
Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.
@lrvick @technicallypossible @wolf480pl Random neighbor standing out front watering their lawn: “Hey Lance, can you hand me over access?”
You, noticing the hose is made of vinyl or something instead of rubber: “Haha no.”
Maybe you should just replace the package with a link to MDN’s entry on the regular foreach 🤷♀️
@Johann150 yes, that’s true. It made it into ECMAScript 5.1
Now if you’ve for _some_ weird reason a system that requries some _older_ build target you get a polyfill.
That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.
Anyway, the issue is very real. This happened before and will happen again.
It’s also the very same for most language depending package managers out there and this is why version pinning is a thing.
@RyunoKi …and browser extensions and game mods. Heck, whatever allows to regain access to an account via mail basically.
No 2FA on your Google Dev account? Too bad 🙃
@RyunoKi Google boo whatever. Try releasing a Chrome extension without :P
(Or an Android app).
@bekopharm
Pah!
Why would I want to write for Chrome?
That doesn’t help Firefox at all.
@bekopharm @Johann150 @RyunoKi Attacks on PyPI (the one I know best) and the others based on the fact that anybody can upload a new package have already happened and will keep happening.
With npn it happens more often because of the higher visibility, of the culture of tiny libraries that multiplies the attack surface by a few orders of magnitude and other social factors.
@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi Personally I very much prefer to live in a world where there are two layers in the distribution of software (libraries).
One where everybody can upload, and I as a moderately competent software person can go to discover new things, review them (both as code and as maintainership situation), decide whether or not I
