It’s just not funny anymore!
Last week the package Node-IPC got a dependency that simply deletes files from the hard disk after detecting a Russian IP of the user and creates a file on the desktop to demonstrate against the war.
The developer probably got a
few pizzas and a visit from the local police after “some” complaints, including from NGOs. Of course he didn’t remove the dependencies in a commit, but just did a force push on the master to an old git state. So that in 2 years nobody will know what kind of shit he built.
But the hard part is: version 11 is still in the NPM repo. He probably can’t get it out of there. So you have a malware in NPM, but no code for it anymore. Yeah!
But wait, that’s not it yet!
Now a Github user named qpwo comes around the corner and just builds a different malware for Node which publishes all SSH keys of the user. Why? To show what a crap NPM is and how “great” it is that the function to report malware simply remains ineffective. It is there, but nothing happens for days. Probably too many tickets came in and it was easier for Github or Microsoft, the owners of NPM, to close their eyes instead of taking stronger action against malware.
But I have to use NodeJS!
Well, I sure hope there’s no one standing next to you forcing you to do that. But if the child has fallen into the well, please run NodeJS only and exclusively in a secure environment like something container-like. But of course you shouldn’t have any secrets in there, because the next malware will come around the corner and push not only SSH private keys, but also all ENV variables somewhere - out of your control.
It bothers me a bit that we have now reached dependency hells. It’s not just NPM, but every modern language that needs dependencies of dependencies of dependencies and then downloads half the internet before the first use. Just the other day a colleague installed two linters for a pure HTML/CSS project: ESLint and Stylelint (+ Stylelint Config Standard). These things have 462 dependencies installed. 462! It’s so broken!
In reality check, yes, there is no way for normal developers to trust anyone anymore. What company, other than the really big one, takes the time to actually review or at least skim the dependencies?
And everyone who has repositories with node packages on Github knows how often a pull request from dependabot comes in, pointing out how many security holes you have lying around.
The ecosystem is so broken, but I’m not surprised anymore that Fefe just laughs his ass off over the argument: “Software bug, can’t do anything!”
Update: The readme of the intentional malware package additionally advises against using Docker, as there are too many break-out vulnerabilities for someone who really wants to harm you to succeed.
Markus asked on Twitter, what you can do now. Good question! As written, theoretically you would have to start reviewing all dependencies now. Or build them yourself, with the appropriate consequences - i.e. no maintenance, security holes, etc. Can’t you? Well, that’s stupid now.
In the end, the answer is the same as with your hosting providers: Trust. So not necessarily blind trust. As a developer, you can lose that very quickly. And if a package has countless dependencies, first assume that the developers of the library or framework had no idea what they were doing. In the end, this article only serves to raise awareness for the problems that you yourself had not thought of before.
3rd update: Originally I wrote that the malware reporting feature on NPM has been removed, however Github/npm simply does not respond for several days when reporting malware via the feature.