The ‘s’ in npm stands for ‘security’.
To be fair, as I understand it, this has very little to do with npm. It just happened to be where the potentially malicious code was pushed to, with it being automatically distributed through a third-party CDN.
Author here, that’s accurate. Wasn’t pushing any blame on npm whatsoever - in fact, they were very responsive about removing the malicious packages (and mentioned that they’re working to reduce the opportunities for spam).
Why it’s mentioned up front is because this isn’t the first instance of a malware campaign targeting Chrome extensions through npm/unpkg - the author of unpkg mentioned that a similar strain of malvertising with an identical unpkg link generation algorithm had used his service in the past.
Just something to watch for.
Ah, fair enough. Their team did a pretty good job getting back to my colleague, so there’s that.
From a technical perspective, npm is well above average for a large site. 2fa is supported (but not mandated), etc.
From a social/cultural perspective, it’s insecure because of the large dependency trees.
Even a small app has many dependencies (eg I’ve just created a new, empty codebase with create-react-app; it has 898 distinct transitive dependencies from 448 distinct authors).
This means a huge number of maintainers with access to push code that will be added to your app when you next upgrade a dependency.
Even if each maintainer account is reasonably secure, a single account compromise equals code injection.
Rubygems might be just as bad.
A fresh install of rails 5.1.2 yields a mere 68 dependencies with 112 authors, so I’d say the problem is about 1/4 as bad in ruby.
Ah, yeah, seeing those numbers in context tells a different story.
[e] Wait, 68 dependencies, 112 authors? How can the number of authors be larger?
Many libraries have more than one author - https://rubygems.org/gems/rails lists 12 owners for the main rails gem.
Ah, I was confused by the distinction between the author and the list of maintainers. Gotcha.
Yep - I picked ‘maintainers’ because I’m looking at the security angle, and any maintainer can push new versions.
I saw the update and it’s good I didn’t re-enable the extension. In general, outside of unfriend tracking, I see very little utility in Social Fixer!