top | item 45170804

(no title)

NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.

discuss

PokestarFan|5 months ago

NPM is owned by GitHub and therefore Microsoft, who is too busy putting in Copilot into apps that have 0 reason to have any form of generative AI in them

Cthulhu_|5 months ago

But Github does loads of things with security, including reporting compromised NPM packages. I didn't know NPM is owned by Microsoft these days though, now that I think about it, Microsoft of all parties should be right on top of this supply chain attack vector - they've been burned hard by security issues for decades, especially in the mid to late 90's, early 2000s as hundreds of millions of devices were connected to the internet, but their OS wasn't ready for it yet.

wutbrodo|5 months ago

It's not like NPM pre-Microsoft was a paragon of professional management or engineering...

bnchrch|5 months ago

Good god. Not everything has to be about your opinion on AI.

txdv|5 months ago

Just write a check.md instruction for copilot to check it for malicious acticity, problem solved

andix|5 months ago

Is it really owned and run by Microsoft? I thought they only provide infrastructure, servers and funding.

buzuli|5 months ago

For packages which have multiple maintainers, they should at least offer the option to require another maintainer to approve each publish.

mrguyorama|5 months ago

Why would NPM do anything about it? NPM has been a great source of distributing malware for like a decade now, and none of you have stopped using it.

Why in the world would they NEED to stop? It apparently doesn't harm their "business"

pants2|5 months ago

Dozens of businesses have been built to try fixing the npm security problem. There's clearly money in it, even if MS were to charge an access fee for security features.

twistedpair|5 months ago

Identical, highly obfuscated (and thus suspicious looking) payload was inserted into 22+ packages from the same author (many dormant for a while) simultaneously and published.

What kind of crazy AI could possible have noticed that on the NPM side?

This is frustrating as someone that has built/published apps and extensions to other software providers for years and must wait days or weeks for a release to be approved while it's scanned and analyzed.

For all the security wares that MS and GitHub sell, NPM has seen practically no investment over the years (e.g. just go review the NPM security page... oh, wait, where?).

legohead|5 months ago

I blame the prevalence of package mangers in the first place. Never liked em, just for this reason. Things were fine before they became mainstream. Another annoying reason is package files that are set to grab the latest version, randomly breaking your environment. This isn't just npm of course, I hate them all equally.

stevenpetryk|5 months ago

I'm a little confused, is this rage bait or what?

> Things were fine before they became mainstream

As in, things were fine before we had commonplace tooling to fetch third party software?

> package files that are set to grab the latest version

The three primary Node.js package managers all create a lockfile by default.