Absolutely terrifying, along with the rest of his packages: https://www.npmjs.com/~hacktask
@kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait:pic.twitter.com/REsRG8Exsx
-
-
-
Yeah, I had to reset a couple of tokens. Haven't checked any of the other packages, but it's probably the same.
-
cc
@npmjs could we do something about this account? -
I emailed abuse@npmjs.com as well, haven't heard back yet.
-
They eventually replied, basically saying that it had been addressed and that I should invalidate my tokens that might have been exposed.
-
Doesn't sound uncommon: "We remedy situations like this by removing the package and occasionally by blocking the user in question."
-
Yeah, that'd be about right... cc.
@peabnuts123https://twitter.com/kyhwana/status/801921801815138304 …
End of conversation
New conversation -
-
-
would be super useful if
@npmjs would deny publishing a package if another one with a#levenshtein distance <3 is already published !!! -
I'm working on a thing that uses quality metrics and prompts users. It would probably catch just about everything folks have brought up
-
@maybekatz May be this little proof-of-concept library would be interested for you:https://github.com/nickkolok/paraquire … -
Doesn’t help with postinstall scripts though.
End of conversation
New conversation -
-
-
The user has been removed, so, for a reference, here’s the full list of packages that they published:pic.twitter.com/F6KcWgnWcw
-
And here’s what to do if you’re a user or a package author (NOT an official post):https://iamakulov.com/notes/npm-malicious-packages/ …
-
And here’s a one-liner to check if your dependency tree has one of these packages:https://pastebin.com/1ADcWejx
- 1 more reply
New conversation -
-
-
@snyksec@black_duck_sw Are you able to detect those packages? I tried just one on snyk, no issues found:https://snyk.io/vuln/npm:crossenv … -
We are now. :) We just added all 37 malicious packages to our DB (ex: https://snyk.io/vuln/npm:crossenv:20170802 …) so you should be able to test for them now.
-
That's great to hear! Thank you for watching our back!
-
The issue here, I think, is that most current methods need to _know_ about bad things before they can detect them.
-
That's why we have a
#security research team, plus all the folks on our KnowledgeBase team. We can't wait for CVEs to be published. -
That's awesome, but did you detect those packages also?
-
Yes, our Hub tool detects those packages, per the engineering team.
#Hackathon project CoPilot still in beta (and free), so not yet there. -
So you detected this and didn't report it to
@npm_support ? Or do you mean that you detect now, after it was found by someone else.. - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.