hngopher.com

       [HN Gopher] NPM package 'ua-parser-JS' with more than 7M weekly ...
       ___________________________________________________________________
        
       NPM package 'ua-parser-JS' with more than 7M weekly download is
       compromised
        
       Author : geocrasher
       Score  : 74 points
       Date   : 2021-10-22 20:14 UTC (2 hours ago)
        
 (HTM) web link (old.reddit.com)
 (TXT) w3m dump (old.reddit.com)
        
       | ipnon wrote:
       | This is the price of free code. If you don't read the open source
       | you're adding to your system then don't complain when it owns
       | you! You wouldn't take your medicine without reading the label
       | first.
       | 
       | NPM is a miracle for open software development, but it requires
       | diligence.
        
         | trog wrote:
         | Weird comparison. The equivalent with medicine is not 'reading
         | the label', but understanding the chemistry, reading all the
         | research, reading all the associated papers, understanding all
         | the biology, etc.
         | 
         | It's reduced to you needing to only read the label by
         | regulation.
         | 
         | Expecting people to read the source of their dependencies,
         | outside of very specific use cases and industries, is a lost
         | cause.
        
       | ahuth wrote:
       | Submitted link is to a reddit thread.
       | 
       | Better one might be the GitHub issue discussing it:
       | https://github.com/faisalman/ua-parser-js/issues/536
        
         | flanbiscuit wrote:
         | which has already been submitted here:
         | https://news.ycombinator.com/item?id=28960439
        
       | olex wrote:
       | Maintainer already released clean versions "on top of" the
       | compromised ones, and NPM acted on reports and removed the
       | compromised versions as well.
       | 
       | Compromised (and no longer downloadable from NPM):
       | 
       | - 0.7.29
       | 
       | - 0.8.0
       | 
       | - 1.0.0
       | 
       | Clean:
       | 
       | - 0.7.28 (last version before the hijack)
       | 
       | - 0.7.30
       | 
       | - 0.8.1
       | 
       | - 1.0.1
       | 
       | Compromised versions apparently contained a cryptomining tool
       | capable of running on Linux, and a trojan that extracts sensitive
       | data (saved passwords, cookies) from browsers on Windows. Both
       | are blocked by up-to-date Windows Defender and presumably other
       | AV software.
        
       | meibo wrote:
       | NPM/any package manager should not let you upload/manage packages
       | with more than 1k downloads a month without 2FA. It's a liability
       | and this is bound to happen.
        
       ___________________________________________________________________
       (page generated 2021-10-22 23:00 UTC)