Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by FatPhil on Tuesday August 08 2017, @01:58AM   Printer-friendly
from the imagine-permitting-unicode-package-names dept.

Submitted via IRC for Bytram

For those who may not have used it, npm:

[...] is the package manager for JavaScript and the world’s largest software registry. Discover packages of reusable code — and assemble them in powerful new ways.

According to the npm Blog, they recently ran into a problem with a user who posted 40 packages whose names were intentionally very similar to the names of existing packages, but this code contained something extra:

On August 1, a user notified us via Twitter that a package with a name very similar to the popular cross-env package was sending environment variables from its installation context out to npm.hacktask.net. We investigated this report immediately and took action to remove the package. Further investigation led us to remove about 40 packages in total.

On July 19 a user named hacktask published a number of packages with names very similar to some popular npm packages. We refer to this practice as “typo-squatting”. In the past, it’s been mostly accidental. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. This time, the package naming was both deliberate and malicious—the intent was to collect useful data from tricked users.

All of hacktask’s packages have been removed from the npm registry.

"cross-env != crossenv", the other typo-squatting attempts are in the article.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by bootsy on Tuesday August 08 2017, @09:35AM (1 child)

    by bootsy (3440) on Tuesday August 08 2017, @09:35AM (#550518)

    Next time this person tries this trick they may want to change their username to something less suspicious like luvPonies. Having the word Hack in your username is a big giveaway.

    • (Score: 1, Funny) by Anonymous Coward on Tuesday August 08 2017, @09:50AM

      by Anonymous Coward on Tuesday August 08 2017, @09:50AM (#550522)

      I have personally seen people run a "virus.exe" dropped on a desktop.

  • (Score: 2) by Wootery on Tuesday August 08 2017, @12:19PM (5 children)

    by Wootery (2341) on Tuesday August 08 2017, @12:19PM (#550556)

    The solution isn't technical: insist on the developer's real name and address as a precondition for acceptance onto the app store. Works for Apple pretty well. Android's app store is full of malware because they refuse to do this.

    • (Score: 1) by nitehawk214 on Tuesday August 08 2017, @12:39PM (2 children)

      by nitehawk214 (1304) on Tuesday August 08 2017, @12:39PM (#550559)

      Fortunately, people that spread malware never lie; and it is very easy and free to verify identities.

      --
      "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
      • (Score: 1, Insightful) by Anonymous Coward on Tuesday August 08 2017, @12:43PM

        by Anonymous Coward on Tuesday August 08 2017, @12:43PM (#550563)

        Ironically, it is for google, with all the information they have on everyone and all that...

      • (Score: 2) by Wootery on Tuesday August 08 2017, @01:43PM

        by Wootery (2341) on Tuesday August 08 2017, @01:43PM (#550580)

        Save your snark. Apple's app store really does have far less malware on it than Google's.

    • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @01:17PM (1 child)

      by Anonymous Coward on Wednesday August 09 2017, @01:17PM (#551076)

      Agree. This shows a problem with the npm repository policy of who uploads what more than anything.
      Who is managing the repo?

      • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @01:20PM

        by Anonymous Coward on Wednesday August 09 2017, @01:20PM (#551078)

        I'll just add that it's not like old days where the chances of malware were almost nil.
        Software lives "in the big city" now. Everyone has their fingers in it, and this includes the scumballs of the *world*.

  • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @08:23PM

    by Anonymous Coward on Wednesday August 09 2017, @08:23PM (#551281)
(1)