14 comments

[ 10.2 ms ] story [ 459 ms ] thread
This is a clever way to raise important issues in security of package managers, but I can't find support for your claim that NPM doesn't let you report malware. A cursory google search brought me this: https://docs.npmjs.com/reporting-malware-in-an-npm-package

And I confirmed that that button is indeed available on packages with a link that goes to eg https://www.npmjs.com/support?inquire=security&security-inqu...

What functionality was removed?

I'm also seeing a "Report malware" button directly on the package page
When I went to report vulnerabilities in two packages, I got a prompt "are you the maintainer of this package?". I hit no and it told me to go inform the maintainer.
(comment deleted)
I'm not sure what to tell you. I submitted a report against your package and it went through and a security ticket was opened.

Could you post some screenshots of what you are seeing?

I suspect OP conflated "I am reporting malware in a package on npmjs.com" with "I have discovered a bug or vulnerability in a package on npmjs.com." The later shows what they report[0] whereas the former does allow for a report to be made.

[0] https://imgur.com/VSZbZ0Q

I get npm, but is it that realistic that yum will pull down a virus? If yum could be infected, then you are either pulling down obscure packages or using a 3rd party repository. If a mainstream package could get infected, it’s just as likely to end up in the base image that you started with (ISO, docker container, etc).
> Put passphrases on all your private keys. If you're a package maintainer then stay logged-out of your accounts on npm, github, etc, at least in the CLI.

Doesn't help when burglar is already in your house.

> Can't this be detected? Not really.

Contrary to OP belief, there are tools that claim to detect such malicious packages. I wonder how effective they are.

Yep I've been trying to get our company to pay more attention to it. It's not just nodejs. All the new hipster languages pull in whatever they can grab. Python, golang, Ruby..

A lot of this stuff is submitted by random people that have no verified credibility. It's really worrying. I'm sure it'll take another major incident though before we'll really pay attention to it. Like wanna cry/notpetya did for SMBv1. Because the devs don't want any mitigations, it'll make their work more difficult.

This is why it's important to use containers for development - or at least SELinux on your development host machine.

Simply restrict file access of npm to its cache folders, so it cannot access your other user configuration files.

Use additionally a host firewall like opensnitch to block npm from any other host than npmjs.com.

This should be the default.

On Linux, packages should provide the SELiunx (or whatever) rules they need, and the user should accept them or not install the package (just like permissions on Android/iOS apps).

On Windows, the application could be sandboxed to its folder in `Program Files` and `%APPDATA%`.

Being secure by default should be the norm. When its not, you can tell users "you should do this" all you want, they won't do it.

Completely agree with you, selinux would be much much nicer if configuration and setup would be easier and streamlined with downstream packages. The current "GUI" is basically a configuration editor that nobody understands. Maybe it's time to improve it?