We Need a Solution to NPM Trojans - post-install hell

Enjoying the increased frequency of uploads 🤘

ashishambre

This is exactly one of the problems Deno helps solve. You need to explicitly specify permissions like network access and file system access. Permissions like that could at least help avoid some of these issues. In a situation like this malicious package meant to maybe parse JSON or whatever, if it needed network access, you would quickly realize something is off about it.

Tszyu

I think this is the kind of problem deno is trying to solve with it security model.

ChimaAlaebo

This issue can avoided by disabling post-install hooks. I believe that I have had my npm setup like this for years now.

justbliss

This is becoming an absolute bear in so many public repositories. NPM is the one we hear the most about, but Docker Hub is experiencing a similar set of problems. We really need security to be built into these systems from the ground up!

noahwilliams

Also, they can upload thing with the trojan to npm, but keep github clean. Nobody actually downloads from NPM, they just check github.

maratmkhitaryan

Kudos to you Hussein for bringing such great content. The reason why I recommend my colleagues to subscribe you ❤️

belalkazmi

The nickname of the creator of this package is "lsd-kokain", I'm not kidding

Arthur-vhme

i never installed a library who has less then 500K install in a week

learnmaziyyah

Best channel out there, no kidding (y)

alielb

This is a problem with the javascript eco system in general. There are way too many dependencies, it's only a matter of time before a trojan works it way into a major framework as a dependency. It wouldn't have to be there very long to cause major havoc.

fadious_padious

Thnx for the good content keep up bro ❤️
just want to say that NjRat was developed by someone known as njq8 the "n" stand nasser (his name) and the "j" is jordan (الأردن) very powerful and easy to encrypt the main problem that those techniques can be used even with composer, maven or any package manager.

khalilbouzidi

The hackers/malware writers, etc. have been using encryption to their advantage for years.
What I'm wondering about is how easy is it to do this for other languages. Like Python PIP install, etc.

autohmae

Thats hilarious! I think all the package registries should check every version of a package to go public, or create a code review community. And give points to the community for proper code reviews. The Trojans can be also be initialized in the library code, which nobody would check!

maratmkhitaryan

Does containerized development will serve as a layer of protection against this?

RoyRope

WASI (WebAssembly System Interface) has promise of solving this in the long term. Watch one of Lin Clark
's talks about about WASI from 2020 or 2019 for more information.

EskoLuontola

I think we need things like this that tell npm to get their poop together, quite embarrassing for them that a malicious package uploaded last week hasn't been detected yet

benevans

Why every NPM packages has security issues ?

aseel

Is there a sound distortion in this video? Like crackling and popping from time to time? I'm listen to this in headphones and hear them a lot.
When I check "Stats for nerds" there is no dropped frames or any connection problem and the only difference between two videos is build version of "vp9" codec.
Could you check that out?

RmFrZQ

Should one use virtual machine for development ? maybe a sandbox environment makes sense to curtail such issues?

nadeemajl