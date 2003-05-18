Submitted via IRC for SoyCow8317
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.
The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:
The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor. [...] We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
Source: https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
(Score: 0) by Anonymous Coward on Thursday May 03, @04:15PM
This is just another symptom of the wider problem. Remember leftpad? That was the same thing:
People don't think about building software anymore, they just glue stuff together without fully understanding anything. npm makes this even worse because it's so "easy" to pull in a dependency and it hides the secondary, tertiary, ..., n-ary dependencies.
Unless you know what is in your software, you cannot make any, ANY statements about whether it works or not.
I'm sure other environments have similar problems (has anyone done an audit on pip or homebrew?) but the javascript 'ecosystem' seems very prone to these kinds of problems because the people operating in it are nitwits.