I have a bad feeling this is just the beginning. The Node.js ecosystem has some serious systemic problems and we're only in the early stages of seeing them exploited. I think there should be a...
I have a bad feeling this is just the beginning. The Node.js ecosystem has some serious systemic problems and we're only in the early stages of seeing them exploited.
I think there should be a trusted tracker of incidents like these with its own npm module. Something that would serve as a notification mechanism for developers. All you would need to do is include the module in your application and whenever you build it'll do a quick check of all your dependencies and compare them against the master list of known malware. If a match is found, your build fails and you get a link to details, with possible solutions (like trusted alternative modules or known-safe earlier versions of the compromised ones) recommended. It would be a little like HaveIBeenPwned for the JS world.
Actually I'd be surprised if this doesn't already exist. I don't have my finger on the pulse of that scene. Seems like this, if implemented well, could go a long way toward mitigating widespread incidents like event-stream.
It might be easier to build a JS package without these malicious dependencies sneaking in if JS had a proper standard library. I think Google is the only entity positioned to make this happen -...
It might be easier to build a JS package without these malicious dependencies sneaking in if JS had a proper standard library. I think Google is the only entity positioned to make this happen - they control V8 (the JS engine in Node) and Chrome (the most popular browser, which uses V8 for its JS execution).
If Google made a full stdlib (like Python's), and provided it by default in Node and Chrome, we might finally be able to fix this shitshow. The version bundled in the browser would exclude anything using syscalls and there would need to be a (large) polyfill for other browsers. But I could see Mozilla and other proper browsers getting on board.
I have a bad feeling this is just the beginning. The Node.js ecosystem has some serious systemic problems and we're only in the early stages of seeing them exploited.
I think there should be a trusted tracker of incidents like these with its own npm module. Something that would serve as a notification mechanism for developers. All you would need to do is include the module in your application and whenever you build it'll do a quick check of all your dependencies and compare them against the master list of known malware. If a match is found, your build fails and you get a link to details, with possible solutions (like trusted alternative modules or known-safe earlier versions of the compromised ones) recommended. It would be a little like HaveIBeenPwned for the JS world.
Actually I'd be surprised if this doesn't already exist. I don't have my finger on the pulse of that scene. Seems like this, if implemented well, could go a long way toward mitigating widespread incidents like event-stream.
Brilliant! I knew I wasn't that clever. I'll read up on this, thanks for the link!
It might be easier to build a JS package without these malicious dependencies sneaking in if JS had a proper standard library. I think Google is the only entity positioned to make this happen - they control V8 (the JS engine in Node) and Chrome (the most popular browser, which uses V8 for its JS execution).
If Google made a full stdlib (like Python's), and provided it by default in Node and Chrome, we might finally be able to fix this shitshow. The version bundled in the browser would exclude anything using syscalls and there would need to be a (large) polyfill for other browsers. But I could see Mozilla and other proper browsers getting on board.