https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads

https://www.techradar.com/news/hackers-inject-malicious-code-into-another-popular-npm-library

Supply chain attacks will become more common as it is the most efficient way to gather intelligence and infect a target. Herd immunity works both ways. If an app invades privacy, but is generally accepted by the masses then it will not suffer any consequences. Look at Facebook, for all of it’s data collecting, it took a congressional meeting and a whistleblower and even then they’re still operating. Good luck trying to get threat actors in front of a congressional meeting.

Similarly, open source software while generally good, can still suffer many of the same flaws and if not properly defined in scope can become what it was meant to destroy. Most software comes from a need for something: someone didn’t like this button here, too many privacy invading features there, etc. But just because it’s open source does not mean it’s best practice.

I’ve already said this about Chrome and Chromium. Especially since there’s basically no **mainstream** competition except for Firefox and Safari. People said “well the maintainer caught the malicious commit so it’s okay”. No! That’s not okay, find out how it got in in the first place and begin implementing a process to verify identity before allowing a commit to that critical portion of the project. You don’t allow people to write to your system unless they’re in sudoers, why are you allowing them to commit potentially malicious code? We got saved by one person, and if that person is having a bad day and makes a mistake, we’re all having a bad day.

I cannot stress it enough and it seems most people are lax about it. One of these days it’ll happen, and by then I hope all of y’all have made sure your companies insurance covers pretty much your entire portfolio that uses an open source library that’s gone bad. Always fork your own software for commercial use (within licence limits).

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.