Npm package event-stream tries to steal your bitcoin
Other urls found in this thread:
github.com
blog.mozilla.org
github.com
hackernoon.com
old.reddit.com
github.com
twitter.com
How did you get a dark theme on GitHub?
>open source software is safer than closed source software because someone already probably maybe checked the source code so i don't have to check it myself i mean it's on github so it's safe
>what do you mean, international multibillion dollar companies who sell closed source software can be easily sued if they include malware in the closed source software, while open source devs have nothing to lose other than a free pseudonymous account on github when they include malicious code in their precompiled binaries? i mean it's open source so it's safe and closed source is bad
If it was closed-source you'd never know it was doing malicious activity in the first place.
>packet sniffers don't exist
>reverse engineering is a myth
trust me, there are more people working on finding out what popular closed source software, used by millions if not billions of people, does than there are people auditing some random piece of open source software barely anyone has even heard about.
dark reader browser plugin. doesn't work great for everything but is good enough for github
Why would anyone spend time reverse-engineering when they could just audit source code?
because not every software has publicly available source code? wat
Shit comparison because popular open source projects also have received a lot of attention from security analysts, in fact they're usually used as a testbed for security analysis tools so they can build the product using real code and then charge high prices to proprietary developers to scan their codebases.
It would be fair if you were going to compare a small and unpopular piece of closed source to this, which I would argue would not have been audited at all. So open source still wins.
Yep, those malware authors still need places to hide their code
>open source still wins
is this thread about closed source malware or open sources malware? LOL looks more like open source got BTFO
Sure you're right about auditing closed software but auditing open software is easier since you have the code readily available, also you don't need to know OBSCURE knowledge to know that this shit is phoning phone and/or mining virtual tulips using your processing power.
Based, hopefully stuff like this happens so JS can die
Remember the time Adobe Photoshop stole your Bitcoins? Oh wait...
I see microdick shills have taken over the thread.
Except exploits on open source operating systems can be patch and be verified.
Patched*
just like the time microsoft windows mined etherum on my machine. OH WAIT...
I know another thing that hasn't did that: my dick. Please suck it too now.
That's bullshit. System d would of been audited by now. Truth is nobody wants to audit 2 million lines of code
>install open sores without reading the source code
>complain when it contains malware
FUCKING ROFLMAO
It targets copay and copay-dash, as well as other forks.
github.com
But people are auditing firefox which has at least 7 million
blog.mozilla.org
>js standard practice evolved to use npm packages whenever possible
>every npm package installed also installs a tree of millions of micropackages
>implying anyone gives a fuck to audit any of the millions of isOdd isNumber packages
>one micropackage accidently handed off to hacker by a 4free maintainer who does not get paid yet apparently people think should be culpable
how could this happen free open source development is supposed to be safe!!??????
Don't use NPM
He's to blame for just handing it off the way he did with almost no one knowing it was a different maintainer. He sounds like a bitter nerd in the comments. Doing nothing and having the next maintainer make a fork would absolve him from some of the blame. His package is dead or still getting sizeable weekly traffic. He should have deprecated it then if he couldn't be bothered to more clearly let someone take control.
It's a problem that's going to happen more and needs to be addressed outside of npm being what it is. We're coming to a point where we'll be losing more original authors and need to have more accepted transfers of maintenance or ownership protocols.
This.
Fist time I installed something npm I got a deluge of shit installed and I thought to myself "This shit is unsafe". Never used npm related stuff again.
Same thing with Golang. The nativity of it all verges in collusion.
>nativity
naivety
> not encrypting and backing up your wallets
Play stupid games, win stupid prizes
just imagine what kind of havoc we could wreak
all you need to do is ask
The zillion micropackage dependencies is a thing mostly contained to the JS ecosystem.
With Python there are some transitive dependencies, but never as many as what happens after a yarn|npm install.
With more mature ecosystems like classic .NET or Java transitive dependencies are often kept to a minimum.
how can you be THAT fucking retarded?
Even more retarded are the people yelling in his thread saying it's perfectly A-OK to do something that stupid.
This is why having a package manager for every fucking language is a retarded idea, instead of trusting a few autists that manage your distro's packages, you have to trust a lot of retards that can give away control of the repo to anyone.
javascript is a cancerous, omnipresent threat to computer security as a whole
hackernoon.com
Never heard of this one until now. Proof?
Dominic is a fucking moron who should not be trusted and should have all his packages removed from NPM
also just another reason to hate npm
hello fellow redditor
guys quit picking on the maintainer who did stupid shit, its YOUR fault he gave the keys to the castle to a chinese hacker
How can we stop it
>This post is entirely fictional
ell em ayy oh
>your bitcoin
>me
>wasting time on buttcoins
What. Are you serious user? This could also be caught by sniffers or course. But it's way easier this way. Can almost solve this statically.
Then why hasn't it? Why did this suddenly appear today? HINT: The only reason this was found was because of a deprecation notice on the crypto usage.
link the reddit thread
wow, who could've seen NPM being an insecure piece of shit coming?
> NPM is a stable ecosystem
LULZ
>then why hasn't it?
Is this so hard to understand? The open source nature of this project didn't make it harder to detect at all. And it made it harder to introduce because there was vetting opportunities not available with closed source software.
And in the end we all know this only happened at all because they're npmfags who just throw random junk into their projects. It's the same situation as with leftpad.
>there are more people working on finding out what popular closed source software, used by millions if not billions of people, does than there are people auditing some random piece of open source software barely anyone has even heard about.
Yes, they're called 0-day vendors.
Damn, I just got on holiday and spent the last week learning node meme bullshit so I could start applying for jerbs. Guess I probably should learn something else?
The absolute state of open source security lmao
just like women
fuckk
I thought that was out of a helicopter or some shit at first
Suck to a nigger
WOW REALLY
DID YOU
IT NEVER EVEN CROSSED MY MIND
same
well at least in Golang you can just use the standard library and the golarg.org/x repos
>rely on thousands of shitty small modules and packages that do (isOddorEven) for your bloat.js project
>one of those bazillions of packages gets moved from one hand to another because the maintainer doesn't care about the project anymore
oh no how could this be
It's perfectly okay for a maintainer to do whatever the fuck he wants. After all, the software was provided "as is" with no warranty. It was on users to pin and audit their dependencies. Too hard to do when you drag a gazillion dependencies even to do the most basic of tasks? Then maybe you should consider a different ecosystem. Still, none of this was the maintainer's fault. However, the maintainer later goes on to say that node having tons of packages is a good thing each doing one small thing is good, so he isn't the sharpest tool in the shed.
meanwhile javascript developers are complaining on github that they can't install the worm anymore
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND FUCKO
JAVASCRIPT BABBIES NEVER LEARN
>I no longer have publish rights to this module on npm
what are you, some kind of sizist?
> just like the time microsoft windows mined etherum on my machine
Just like utorrent mined cryptocurrency on my PC.
A package manager for every language is a much better idea, distro maintainers already have too much to audit and test, and they arent specialized in X language. What's retarded is languages who lean heavily on a "crowd-sourced standard library" such as JS and the node mess.
Can't github delete issues lmao?
Fuck Dom and Fuck Niggers.
Yeah utorrent was pulled as a dependency of some shit and you weren't a moron installing it voluntary
>the second post
topkek
Still, good work, it's hilarious watching wrecked npm users left and right.
alphabet-paid posters blaming this on open source should be banned
you have two choices
>you are able to see exactly what the program you are using does
or
>you risk the program you are phoning home data, destroying your data, or letting other malicious actors in
glow in the darks will hate this fact but it's true
People have different priorities.
Spending 10 minutes implementing something is way worse than infecting your users with worms.
>881 THOUSAND fucking downloads
>IN A WEEK
Stylus + dark theme
All of that is more effort than reading the source so I don't know why you think it would be more widely done.
.net core is great and gaining traction every year
shit like this makes me want to never run any 3rd party software within a docker container... is this viable nowadays? It seems like it'd be annoying to always have to get a shell and I'd have to use vim exclusively.
I obviously fucked up the 1st sentence, you know what I mean
It only activates for wallets with balances over $400k.
Basically no one will ever know it's there without checking the source.
MOM!!!! THEY'RE STEALING MY INTERNET MONEY AGAIN!!!
The person that asked worked on the package and original guy didnt give a shit. Stop shitposting and check your dependencies
While there is no LEGAL obligation to not destroy your computer, there is a moral one
The issue is, people gave their trust to a person who spent a lot of time working on a package. And that person broke the collective trust by giving someone complete access to millions of possible computers
What SHOULD have been done
>verify the new maintainer will act in good faith (from either personal history or as a good background)
>if that can't be done, review all pull requests from the author
>if the current maintainer wants nothing to do with the project, archive the project and put a deprecation notice
No matter what you say now, the facts are the facts. People will not trust that maintainer's code any longer. Even projects he currently maintains, there's no guarantee he won't give up control to some third party with malicious intent
what if the "bad actor" is the original owner of the package?
not an npm expert but there doesn't appear to be anything stopping people from making a popular package and then patching malware into it themselves. so blaming the guy for handing ownership away seems misplaced.
>boo hoo someone wont do free shit for me forever what the fuck :((
fucking commies, heres hoping someone shoves a trojan in IsTrue or some shit
Imagine this scenario
>debian maintainers all give up one day
>look for people to handle control over
>new maintainer either intentionally or unintentionally adds in a rootkit to the build
This is the same concept. Replace Debian with any open source project
Someone checked the code, that's why we know.
Incorrect, we know because the haxx0r used a deprecated cypher function for his obfuscated code.
>also you don't need to know OBSCURE knowledge to know that this shit is phoning phone and/or mining virtual tulips using your processing power.
in other words, open source ends up being mostly audited by people that dont have the necessary knowledge to do it properly
if it was closed source people wouldnt have assumed it was safe just because dude open source lmao
woosh
4channel is shit
This just goes to prove that being able to read the source code doesn't mean anybody actually does.
Open source is a scam and a danger to us all.
Compare that to winfags downloading shady drivers/.dlls and etc. The real problem is node devs not willing to implement the simplest of functions without depending on hundreds of packages. Maybe the language is just shit and not fit for anything else beside web design.
> This just goes to prove that being able to read doesn't mean anybody actually does.
> Books is a scam and a danger to us all.
Pro tip: Malicious software is not discovered by reading the source code.
Let this be a lesson to you all freetards.
You say this, posting in a thread about malware that was discovered by reading the source code. But the 'more eyes' argument isn't about intentional malware, it's about finding/fixing exploitable bugs.
It was actually discovered because the hacker used a deprecated function:
github.com
I wonder how many of this backdoors exist in npm that don't get detected because they are implemented competently.
you have to go back
>opencucks will defend this
Lmfao
>lmao just code your own drivers
This is how stupid you sound
You can talk about is-number all you want, but the only way stupid packages like that get any weekly downloads is that some large package used it
This is a case of a well respected package that makes dealing with streams easier. It has 1500 dependents vs is-number's 170