You can mitigate similar attacks by editing your .npmrc
min-release-age=7 # days
ignore-scripts=true
You can mitigate similar attacks by editing your .npmrc
min-release-age=7 # days
ignore-scripts=true
It's a good way to keep the exploit around for seven days, too, if you apply it right away.
I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.
As long as the bot is not allowed to automatically merge minor version bumps in libraries...
Well yes, one can misuse any tool.
How? If you got hit by this you are looking at restoring the system from a safe previous version.
And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version...
I always advocate switching to pnpm where install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.
Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.
Minimum age would have prevented it in this case.
Just ask Australian how well minimum age verification works!
On closer inspection, preventing post-install would have fixed it too: "The attack exploited a transitive dependency, plain-crypto-js@4.2.1, which executed a postinstall script to deploy the RAT."
Doesn't seem to have been live for very long.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil.
No spam.
Posts are to be related to self-hosting.
Don't duplicate the full text of your blog or readme if you're providing a link.
Submission headline should match the article title.
No trolling.
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!