Home 零对冲(ZeroHedge)每日HackerNews

(评论)
(comments)

原始链接: https://news.ycombinator.com/item?id=43484845

最近Hacker News上的一篇帖子讨论了在一个NPM包中发现的恶意软件,该恶意软件创建了一个反向shell,突出了开源代码库安全性的担忧。用户们就可能的解决方案展开了辩论,包括谷歌的“安全可靠的”开源代码库以及对更强大的安全措施的需求。 一些评论者指出,大多数包存储库(Go、Rust、Swift、Ruby、Python)缺乏审查机制,这与Java的Maven/Sonatype的自动化检查和OCaml的opam审查流程形成了对比。 讨论还围绕着`npx`和`postinstall`脚本相关的风险展开,这些脚本允许未经请求的网络和文件系统访问。提出的解决方案包括包装二进制执行以需要用户授权。一些用户建议使用人工智能来扫描恶意软件包,而另一些用户则通过建议添加诸如“区块链”之类的流行词来讽刺这个想法。总体情绪反映了人们对依赖未经检查的开源包所固有的安全漏洞日益增长的不安。

相关文章
  • NPM上发现恶意软件,通过反向shell感染本地包。 2025-03-26
  • (评论) 2024-04-04
  • (评论) 2024-08-01
  • (评论) 2024-04-01
  • GitHub 上发现超过 10 万个受感染的存储库 2024-03-01
    • 原文
    Hacker News new | past | comments | ask | show | jobs | submit login
    		Malware found on NPM infecting local package with reverse shell (reversinglabs.com)
    26 points by gnabgib 1 hour ago | hide | past | favorite | 12 comments










    I think the industry is going to soon look back on building with Wild West open-source repos like we looked back on not having absolutely everything running on HTTPS in the Snowden era. I know Google has "assured" open source repos for Python and Java [1]. Are there other similar providers for those and other languages?

    [1] https://cloud.google.com/assured-open-source-software/docs/o...

    reply



    The fact that http fetches and fs reads don't prompt the user are continually the craziest part of the `npx` and `package.json`'s `postinstall`.

    Does anyone have a solution to wrap binary execution (or npm execution) and require explicit user authorization for network or fs calls?

    reply



    Use Rust

    reply



    According to the comment below, it should be “Use Java”.

    reply



    Back in the day repositories had 'maintainers' who reviewed packages before they became included. I guess no one really cares in the web dev world; it's a free-for-all.

    reply



    It’s not just web dev: go, rust, swift, ruby, python none of them do any checking.

    In fact the only repo I know of doing any checking is Java’s Maven/Sonotype and it’s automated not manual.

    reply



    OCaml's opam does have a review process, although I'm not sure how exhaustive. It's got a proper maintenance team checking for package compatibility, updating manifests and removing problematic versions.

    I don't think this would be viable if the OCaml community grew larger though.

    reply



    Malware in a crypto-related JavaScript package. Surprised Pikachu face

    reply



    I think they should start scanning package with the help of AI.

    reply



    “Let’s 10x that shit”?

    reply



    Nah! Then we would need to add some blockchain and maybe sprinkle some other Buzzwords here and there for good measurement!

    reply



    Water is wet.

    reply







    Join us for AI Startup School this June 16-17 in San Francisco!


    Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact



    Search:
    联系我们 contact @ memedata.com