I am uncovering what seems to be a massive widespread malware attack on @github.
— Stephen Lacy (@stephenlacy) August 3, 2022
- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
[Potential Drama] adds malicious code to over 35k GitHub repos
- 50
- 88
Top Poster of the Day:
J
Current Registered Users: 25,737
tech/science swag.
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and non-drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to real them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.
Do not use outdated operating systems that are unsupported to access SN. What are you, poor?
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
/h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Jump in the discussion.
No email address required.
Any JS developer who isn't using locked NPM package.json versions in 2022 deserves to be hacked by Russians
Every smart dev I know did this 2yrs ago when the state of this NPM shit came to light
Edit: rDrama doesnt even use NPM, they download .js libraries like its 2007 https://github.com/Aevann1/rDrama/tree/frost/files/assets
Jump in the discussion.
No email address required.
When we say we want the Internet to go back to 2007 we mean it.
Jump in the discussion.
No email address required.
Kings
Jump in the discussion.
No email address required.
More options
Context
I love typoescript but hate this npm shit, is there any way for me? :(
Fixed typing is just so much more convenient to find bugs early
Jump in the discussion.
No email address required.
Learn rust
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Lmao
Jump in the discussion.
No email address required.
More options
Context
NPM is bloated
Jump in the discussion.
No email address required.
Rails bundler and a bundled of other package managers have the same risks.
The problem is mostly how js encourages a thousand small dependencies each for single line code blocks.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Have you only been working for 2 years because lock files in node land have been around for 6 years.
Even before then the secure way was always either a custom registry or checking node modules into source control.
Jump in the discussion.
No email address required.
I’m not talking about lock files, I mean locking down version numbers.
A lock file wouldn’t do anything to help here anyway?
And I’ve been doing it for over a decade and I’ve seen so many open source projects that still use tildes for every package version number. This is a behavioral change not a tech change.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I am a wannabe codecel so I am genuinely curious: is a locked npm version when you don't use tilde or caret range?
Jump in the discussion.
No email address required.
Yep
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Lol javascript development is such a joke
Jump in the discussion.
No email address required.
More options
Context
how does a lock file help in this case r-slur
Jump in the discussion.
No email address required.
With a fixed version number you’re not going to download these exploits unless you explicitly change the version number in your package.json.
Otherwise any dev on your team who does npm install is at risk of installing any new minor package version update
Jump in the discussion.
No email address required.
these are forks not the original packages
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
but open source means its harder to introduce malicious code beacuse of all the people looking at it
Jump in the discussion.
No email address required.
The commits aren’t getting slipped into OSS projects, he’s creating ersatz duplicates of the OSS projects and adding malware on top. Complete morons then download the wrong copies (possibly) and get pwned. The actual OSS software is unaffected.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I can't count how many times I've needed to tell a company that their private npm Repos still need to be reserved on npm.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
This why I literally only use proprietary closed source binaries. I pay for it, yeah, but that makes it higher quality.
*Sent from my iPhone 12S
Jump in the discussion.
No email address required.
More options
Context
It should be harder for anyone who isn't immediately clicking yes on every single update as soon as it comes out at least.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
More options
Context
entire JS ecosystem in shambles
Jump in the discussion.
No email address required.
More options
Context
When the teacher finds out the entire class copied one kid's homework because they all have the same wrong answers
Jump in the discussion.
No email address required.
More options
Context
Did they create infected copies of projects or add the link to the real projects?
Jump in the discussion.
No email address required.
Seems like a real Github user is committing the code as a post-install script, then the releases somehow get published as new versions:
https://github.com/operatino/ronin/commit/800aecaf499001a95dd4ec73889020430e09dce4
Latest version is 3.11 https://www.npmjs.com/package/ronin
idk how this could happen, is this a Github exploit or dev accounts hijacked? My guess is Github exploit:
Jump in the discussion.
No email address required.
I think there is a known exploit in GitHub where you can push changes to repositories you don’t own.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
is youtube-dl compromised?
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
https://classicreload.com/win3x-skifree.html
Jump in the discussion.
No email address required.
More options
Context
i've an old version saved which i use like once in 2 months. if it stops working, I'll get yt-dlp thanks
Jump in the discussion.
No email address required.
More options
Context
what's the advantage
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Snapshots:
archive.org
archive.ph (click to archive)
ghostarchive.org (click to archive)
Jump in the discussion.
No email address required.
More options
Context
you are all being r-slurs, i checked the real orange site and even I can fricking read that this is a nothing burger and false
Jump in the discussion.
No email address required.
More options
Context
Fricking good.
Jump in the discussion.
No email address required.
More options
Context
Who is merging these PRs from randos without reading them? In my book that aint malicious, you literally asked for this
Jump in the discussion.
No email address required.
More options
Context