undefined | Better HN

0 pointsGigachad4mo ago0 comments

The problem isn't specific to node. NPM is just the most popular repo so the most value for attacks. The same thing could happen on RubyGems, Cargo, or any of the other package managers.

0 comments

gred4mo ago

NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

chha4mo ago

Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.

From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.

NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.

arccy4mo ago

npm is run by github / microsoft now, which also sells security products...

viraptor4mo ago

There were. They're just not as popular here. For example https://www.sonatype.com/blog/malware-removed-from-maven-cen...

Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4

pimterry4mo ago

As of 2024, Maven had 1.5 trillion requests annually vs npm's 4.5 trillion - regardless of package count, 3x more downloads in total does make it a very big target (numbers from https://www.sonatype.com/state-of-the-software-supply-chain/...).

master-lincoln4mo ago

No. Having many packages might not be the only reason to start an attack. This post shows it is/was possible in the Maven ecosystem: https://blog.oversecured.com/Introducing-MavenGate-a-supply-...

skwee3574mo ago

One speculation would be is that most Java apps in the wild use way older Java versions (say 17/11, while the latest will LTS is 21).

AndroTux4mo ago

Okay then, explain to me why this is only possible with NPM? Does it have a hidden "pwn" button that I don't know about?

liveoneggs4mo ago

https://docs.npmjs.com/cli/v8/using-npm/scripts

tonyedgecombe4mo ago

>Does it have a hidden "pwn" button that I don't know about?

Perhaps its package owners do.

deafpolygon4mo ago

NPM executes packages as you download them.

p3rspective4mo ago

Make no mistake, Maven Central does get multiple malware components uploaded each year, though not nearly to the same extent as npm or pypi. Sonatype (my former employer) just doesn't report on these publicly each time it happens. It's not an isolated problem but certainly harder to do with maven.

gred4mo ago

I assume you're talking about malware uploaded to new artifact coordinates (possibly named so as to try to confuse users), not hijacking of existing artifact coordinates (group ID, artifact ID)?

1 more reply

throwawayffffas4mo ago

Hoe many daily downloads does Maven have?

vintagedave4mo ago

The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

cluckindan4mo ago

Just use dependency cooldown. It will mitigate a lot of risk.

yoavm4mo ago

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

2 more replies

Ygg24mo ago

NPM is the largest possible target for such an attack.

Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.

PunchyHamster4mo ago

Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.

j / k navigate · click thread line to collapse

0 comments

gred4mo ago

NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

chha4mo ago

Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.

NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.

arccy4mo ago

npm is run by github / microsoft now, which also sells security products...

viraptor4mo ago

There were. They're just not as popular here. For example https://www.sonatype.com/blog/malware-removed-from-maven-cen...

Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4

pimterry4mo ago

master-lincoln4mo ago

No. Having many packages might not be the only reason to start an attack. This post shows it is/was possible in the Maven ecosystem: https://blog.oversecured.com/Introducing-MavenGate-a-supply-...

skwee3574mo ago

One speculation would be is that most Java apps in the wild use way older Java versions (say 17/11, while the latest will LTS is 21).

AndroTux4mo ago

Okay then, explain to me why this is only possible with NPM? Does it have a hidden "pwn" button that I don't know about?

liveoneggs4mo ago

https://docs.npmjs.com/cli/v8/using-npm/scripts

tonyedgecombe4mo ago

>Does it have a hidden "pwn" button that I don't know about?

Perhaps its package owners do.

deafpolygon4mo ago

NPM executes packages as you download them.

p3rspective4mo ago

gred4mo ago

I assume you're talking about malware uploaded to new artifact coordinates (possibly named so as to try to confuse users), not hijacking of existing artifact coordinates (group ID, artifact ID)?

1 more reply

throwawayffffas4mo ago

Hoe many daily downloads does Maven have?

vintagedave4mo ago

The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

cluckindan4mo ago

Just use dependency cooldown. It will mitigate a lot of risk.

yoavm4mo ago

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

2 more replies

Ygg24mo ago

NPM is the largest possible target for such an attack.

Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.

PunchyHamster4mo ago

Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.

j / k navigate · click thread line to collapse