Feross Aboukhadijeh’s Post

We’re detecting a massive automated spam campaign hitting npm right now with an influx of garbage packages, a reprisal of the tea[.]xyz crypto spam, which artificially inflates the spam packages’ dependency counts. #JavaScript https://lnkd.in/eGCMsam3

🚨 Breaking News in the tech world! 🚨 The creator of 'ip' puts the brakes on GitHub due to some shady CVE reports. 🛑🔒 What's going on with open source these days? Let's dive in! 💻🔍 #ainews #automatorsolutions 🔍 Are dubious CVE reports the new trendy threat to open source projects? 🤔 It seems like open source developers are under siege! 😱 🔐 Locking down the 'ip' GitHub repo because of fishy CVEs? 🐟 This is not your average tech drama! Buckle up, folks! 🎢 🔥 Calling all tech wizards! How do we protect the sanctity of open source projects from fake CVEs? 💪💬 #techgurusunite 💡Prediction time! Will this incident spark a revolution in how we handle security flaws in open source? 🌐⚔️ Share your crystal ball visions! 🔮 📈 Let's flashback to history – when has the tech world faced a challenge like this before? What lessons can we learn to overcome this obstacle? 📚🤓 #throwbacktech 💬 Your turn, techies! How can the community rally together to fight against bogus CVE reports? Let's brainstorm some innovative solutions! 🧠💡 #collaborateforsecurity Together, let's dissect this latest tech mystery and emerge stronger and wiser! 💪💻 Drop your thoughts, ideas, and insights below! 👇💬 #techtalks #communitystrong #CyberSecurityAINews ----- Original Publish Date: 2024-06-30 07:35

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question, execution-time-async, masquerades as its legitimate

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question, execution-time-async, masquerades as its legitimate

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question, execution-time-async, masquerades as its legitimate

https://lnkd.in/dCsRaXt8 An interesting story with #node-ip of the last few days has raised the problem of false CVE reports again. The developer of the library, Fyodor Indutny, has moved the repository with the project to ridonli. This happened after the latter encountered problems following a CVE report, the severity of which Indutny unsuccessfully tried to dispute for several months. After the publication, the number of node-ip downloads dropped from 30 million to 17 million per week, and the false CVE caused a warning when building projects, which began to be reported en masse by users. As a result, the project was archived, thus making the news, and GitHub finally managed to get a downgrade. Access to the repository has now been restored (https://lnkd.in/d83kMqbK), and there are those willing to help revoke the CVE. But the problem of attackers, novice researchers gaining vulnerabilities in their portfolios by dubious methods, and lags in interaction between industry participants remains. And, most likely, it will only grow, continuing to wear out developers' nerves. #falsepositive #false #cve #reputation #github #nodeip

How to Implement Rate Limiting in Express for Node.js @AppSignal "[...] rate limiting is a strategy for limiting network traffic by placing a cap on how often an actor can call the same API in a given time frame. That's essential for controlling the volume of requests a client can make to a server in a certain amount of time. To better understand how this mechanism works, consider a scenario where you have a Node.js backend that exposes some public endpoints. Suppose a malicious user targets your server and writes a simple script to overload it with automated requests. The performance of your server will downgrade as a result, hindering the experience of all other users. In an extreme situation, your server may even go offline. By limiting the number of requests the same IP can make in a given time frame, you can avoid all that! [...]" #ratelimiting #nodejs #backenddevelopment #webdevelopment #javascript #api

So I stumbled upon this the other day looking at an open source repositories GitHub Actions workflows. Specifically - it's a GitHub action from the folks at StepSecurity that allows you to enforce an allowlist of domains - blocking traffic to anything other than what you specify from within your build job. It comes with an audit mode to understand what would be needed for a clean build of your application. Theoretically it should be the domains of your package repositories (NPM/PyPI/Private Registries), GitHubs APIs, and container image registries if you are using containers. Pretty neat tool if a malicious package/dependency is high up on your organizations threat model, and the small level of effort to get this going makes it even more attractive. The evil side of my mind thought about trying to implement a C2 using PyPI/NPM/etc 😂 It's free for public repositories, and probably worth the effort if you have GitHub Actions on them. Link in the comments to satisfy the LinkedIn algorithm police

"It looks like there are entities that in theory should fill the void in OSS community and provide resources for managing security reports for overloaded maintainers. However, the verification process of vulnerability reports doesn't involve maintainer at all, and it sounds like the commercial interest of advisory repositories is aligned with creating more vulnerabilities and proving themselves ‘useful’ to companies that utilize them.” - Fedor Indutny #JavaScript #NodeJS #OSS https://lnkd.in/eUB_Ng7S

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download. #malicious #npm #supplychain #software