Profile picture
Gary Bernhardt @garybernhardt
, 9 tweets, 2 min read Read on Twitter
An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet. github.com/dominictarr/ev…
There are basically two camps in that thread.

1) This is the original maintainer's fault for transferring ownership to someone they didn't know and trust.
2) Ownership transfer was fine; it's your job to vet all of the code you run.
Option 2 (vet all dependencies) is obviously impossible. Last I looked, a new create-react-app had around a thousand dependencies, all moving fast and breaking things.
Option 1 (a chain of trust between package authors) seems culturally untenable given the reactions in that thread, including from well-known package authors.
There was an option 3: don't decompose your application's dependency graph into thousands of packages. People who argued that position were dismissed as (to paraphrase heavily) old and slow. That ship has sailed, and now we're here.
It was cryptocurrency. Of course.
We knew that this was coming. hackernoon.com/im-harvesting-…
Why did this happen to NPM and not another system? Partly, NPM is just a big target. But partly because NPM modules are tiny, so there are more modules and maintainers, which means more attack surface area. Create-react-app 2.1.1 installs 1,770 dependencies (excluding dupes).
This package's author owns 423 packages on NPM. That doesn't include all of the ones that they authored, but are now owned by another maintainer.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gary Bernhardt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @garybernhardt see all

Profile picture
I wrote a bunch of horribly awkward code, then deleted it and replaced it with eight lines of SQL (max width 64 chars). Greetings from 1974.
Update: six lines!
"The relational view (or model) of data described in Section 1 appears to be superior in several respects to the [document database model, roughly -GRB] presently in vogue for [databases that merely store data]."

-- Codd in 1970, but could've been 2018. seas.upenn.edu/~zives/03f/cis…
Read 5 tweets
Profile picture
An npm module named husky destructively added pre- and post-commit hooks to my dotfiles repo (literally ~/.git!). Or maybe some other module told it to do that. I never asked for that. I don't understand why the JavaScript tool ecosystem is like this!
please don't "distrupt" my dotfiles, tech industry
Exciting update: it destructively installed 18 different git hooks.
Read 16 tweets
Profile picture
One of the biggest selling points during the rise of dynamic languages was that they lacked complex, fragile build processes. Fast-forward 15 years and the most popular dynamic language has build tooling more complex and fragile than many static languages. Time is a flat circle.
btw I wrote this while waiting *six minutes* for the dev dependencies to install for a very small library that I use
he died as he lived, waiting for `npm install`
Read 3 tweets

Related threads

Profile picture
Four years ago on new years eve, I set out to build for myself a robust habit of habit engineering. Looking back, doing this has been very transformative for me.

A thread 👇
1/ I was originally inspired by Benjamin Franklin’s autobiography. He used to keep a sort of spreadsheet with a row for each day of the week and a column for each habit he was working on. In each cell he would mark whether or not he succeeded for that day/habit.
2/ Over the years, my version of Franklin's spreadsheet has evolved into a kind of personal "life operating system" that I call walrOS. It looks like this:
Read 19 tweets
Profile picture
One of the interesting things about AWS Firecracker is that it is (one of?) the first OSS projects *originated* by AWS. It will be interesting to see how outside contributions and community are curated. Some comments after a 2 minute look at the repo/docs:
First, there is a Code of Conduct (github.com/firecracker-mi…). It is very corporate though where violations are reported to an amazon alias. If a real community forms it'll be interesting to see if this shifts to be a community driven thing.
The MAINTAINERS.md (github.com/firecracker-mi…) lists the Amazon team working on it. Doesn't look like there is provision for external maintainers.
Read 9 tweets
Profile picture
don't forget to also check your local machine (for the backdoor, github.com/dominictarr/ev…, ICYMI)

find / -type d -name "event-stream" -print 2>/dev/null
More specifically, search for `flatmap-stream`, as that is the malicious package:

find / -type d -name "flatmap-stream" -print 2>/dev/null

Thanks @OCombe for pointing this out
✨ And finally you should be using `npm ci` OR `yarn install --frozen-lockfile` to install your deps on your servers:

npm: blog.npmjs.org/post/171556855…
yarn: yarnpkg.com/lang/en/docs/c…
Read 3 tweets
Profile picture
Holy hell, Node. A package with 2 million downloads a week and the maintainer hands over control to a rando stranger? And now it's mining cryptocurrency. Wow.
github.com/dominictarr/ev…
Correction - not mining, stealing
But really, that's just a detail. The problem is this thing was apparently used on some big sites. Zero integrity. Software security supply chain ftw.
Read 5 tweets
Profile picture
NPM library with 2m installs has a backdoor, looks to be some kind of Trojan (stealer?) github.com/dominictarr/ev…
This was backdoored across a few million installs by emailing the author and asking for access. HT @0x736A.
One of the things to emerge over last few years is npm and Node.js ecosystem - billion dollar companies and startups alike are building complex systems on top of often unmaintained code written by random people for no pay.
Read 4 tweets
Profile picture
(thread) Yesterday Crytek filed their rebuttal to the motion to dismiss (MtD) which RSI/CIG filed on Jan 5th, amid much fanfare.

You can read it in all its apocalyptic glory on Pacer or at the link below.

docdroid.net/v7yQ0LL/respon…
We already knew that a response to the MtD was coming; but since many delusional people had taken one look at the PR laden response by CIG and given them a win, most didn't know what to expect from the Crytek response.

I certainly wasn't expecting the beatdown Skadden delivered.
In fact, back (below) when I wrote my opinion on the CIG response, and stated that Ortwin had basically drawn the battle lines with open hostility, I knew that it was going to set the tone going forward. Boy did Skadden deliver.

threadreaderapp.com/thread/9496260…
Read 88 tweets

Trending hashtags

#app #JavaScript #AccidentsWillHappen #DataValidation #ai #Marlowe #Bittrex #KCC #Zcash #RecordStoreDay2019 #technology #EnoughIsEnough #smarticities #NorthKorea #smartcities #CleverTap #Github #smarticites #ItsTime #postofficetrial #bigdara #GAN #IOTA #Rust #bigdats

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!