Tell HN: Microsoft forgives malware? Node-ipc virus writer not banned GitHub

25 points by unknownaccount ↗ HN
A few months ago there was a supply-chain attack involving the npm package node-ipc, in which one of the maintainers sabotaged the codebase to delete files on thousands of people's computers.

https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/

I just wanted to bring up the fact that the perpetrator behind this cyberattack, "RIAEvangelist", is currently not banned on Github. Hours after publishing the malware code on Github's node-ipc repository they appeared to have temporarily locked his account. But given the fact that his activity remained shortly after, it means Microsoft didnt opt to punish him very long (or at all?).

Malware author's profile: https://github.com/RIAEvangelist

What are the broader implications of Microsoft's inaction against a clear case of computer sabotage? Could their inaction against this user be interpreted as negligence? Could it be interpreted as a relaxation of company policy restrictions against malware being hosted on Github? Discuss.

20 comments

[ 5.1 ms ] story [ 60.2 ms ] thread
Pragmatically, I’d rather have that person contributing under an known account, which people can vet as the see fit.

The alternative is not that the person is banned from GitHub. The alternative is they make a new account, under a new name.

This is parroting the "don't ban people because this way at least we can see what they're doing" meme. What, they can't create more accounts?
Who's to say they don't already have multiple accounts? Surely being able to see at least a portion of their activity on a known account is better than all activity of their activity being anonymous.
No. Because accounts gain reputation. It's more likely they're able to pull off a supply chain attack from a known account then a new account. So, ban accounts as you find them. Obvious.
What’s “reputation” mean on GitHub? If it’s “valid looking commits to valid-looking repos”, it’s very trivial to fake that. You can fake the timestamps, too.
Account reputation means having contributed to projects with reputation.
This old bit. Look.

Just because it's a centralized point of distribution doesn't mean it is desirable to suddenly plop on a responsibility to police the world's software.

Furthermore, if you're not auditing new versions of dependencies before you let them loose on your systems, that's all on you.

Writing software is a bit like sex. You make one mistake, and you end up supporting it for life. Always practice safe dependency management.

Microsoft has no nor should they have any responsibility, to protect anyone from anyone else. Especially with their propensity for going overboard in that regard.

Github is quite lazy in enforcing their terms and conditions. When the Notepad++ author spoke out against the Chinese genocide their repo came under attack from Chinese nationalists and Github decided to do very little about it. I don't believe that Github was unaware of it once the news hit the various front pages on news sites.

I'm not very surprised Github is equally lazy when it comes to protestware like this. Taking action might be seen as voicing an opinion and opinions cost a business money.

Agreed. Github is relatively easy for a business to migrate off of. Your data is relatively portable, and there are competitors, and even self-hosted solutions with feature parity. One error in judgement could cause mass panic throughout the industry and prop up the competition even more. And don't forget that many still have an axe to grind against Microsoft from the Gates/Ballmer days.

I used to run a relatively large open source MMORPG server (hundreds of concurrent users), with a tight-knit community. People there have done some pretty awful things (hacking, doxxing, you name it), yet when you try to punish them, the community finds a way to revolt, and rumors of all sorts will come out of the woodwork. It is human nature. Github is correct to tread carefully in all cases. Whether it is moral is another matter.

It's easy to get your data out but what code review tool do you replace it with? Unless you have a email/patch style workflow (who does these days?) that's going to be extremely disruptive.
What? Github is far from the only code review tool, and possibly not even the best one available.
Gitlab is self-hostable for free and has code review tools very similar if not better than Github. Gitea is more lightweight and has code review built in as well. Both include package repository support. For Gitea you'll need an external integration to get CI/CD support, but Gitlab supports it automatically.

There are tiers of support and feature availability if you want a hosted solution at https://about.gitlab.com/pricing/, though the free version is very similar to Github's free version.

Github hasn't been the only option for source code repos for years now.

Doesn't the responsibility for banning here lie with NPM? Who cares if this person can publish code to Github? The channel used to exploit trust was NPM, and I'd much rather see someone who engaged in software supply chain sabotage get banned on artifact repositories than on a code hosting site.
I don't think NPM is interested in taking responsibility. IMO at this point the responsible thing to do is just don't use npm.
why not ? it is a very good way to test your backup. Aaa, you don't have any ? Bad luck / s
Github is NPM's parent company at this point, so I guess they have similar policies for dealing with this sort of stuff at this point.

My best guess is MSFT (which is the owner of both) is wary of taking a political stance here.

I didn't realize that GH owned NPM. Still, I would expect policies on bans to be pretty different between the two given the different roles each org plays in the larger ecosystem.

Microsoft has taken some fairly assertive political stances wrt Ukraine, so I'm not sure corporate neutrality is to blame here (take this with a grain of salt: I work for MSFT, albeit not on anything remotely related to policy or comms).

They already took a political stance by letting him be unbanned. Theres no way this would ordinarily be allowed. But since the victims were only Russian and Belarusian people, Microsoft let the perpetrator get away with the crime.

The message Microsoft is sending right now is loud and clear: That they dont take malware threats seriously. That it isnt a big deal when users upload malicious code / trigger a supply chain attack that permanently deletes peoples files. Because the worst thing that can happen is only a minor slap on the wrist.

Shit like this is going to keep happening to Russians until they reign in their mad dog leader. Whining about won't fix it, a change of leadership is needed.
To be clear, in a perfect world it's wrong that Russians were having their files deleted. It's also wrong that they're having their factories set on fire, getting conscripted to be blown up in trenches, having their children shipped back home in little boxes, or not shipped back at all. It'll be wrong if the tide turns and they are blown up in their homes. Welcome to war. This is what you were signed up for. Look to who signed you up.