• colonial@lemmy.world
    link
    fedilink
    arrow-up
    22
    arrow-down
    1
    ·
    1 year ago

    At some point, npm supply chain attacks are going to stop being news and start being “Tuesday.”

    … JS on the backend was a mistake.

      • kattenluik@feddit.nl
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        It wouldn’t have been if it kept to the original purpose of some simple tasks and such, but we can’t have nice things.

    • JackbyDev
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      1 year ago

      JS on the backend was a mistake.

      Typo squatting is not unique to JS.

      • colonial@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        True, but it’s uniquely bad in the JS world. Developers tend to rely on libraries in almost cartoonish excess.

        • The language is shit in general, leading to an endless parade of frameworks and packages designed to paper over the sore spots.
        • The lack of a well-rounded One True Standard Library™ means lots of trivial functionality needs to come from somewhere.
        • Micro-dependencies are commonplace, leading to bloated dependency trees. I’d guess this is caused by a combination of both culture and the fact that you often want your JS artifacts to be as lean as possible.
  • realharo@lemm.ee
    link
    fedilink
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Clickbait title.

    The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like “noblox.js-vps,” “noblox.js-ssh,” and “noblox.js-secure,” and they were distributed across specific version ranges

    Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?

    You would have to really go out of your way to get infected by stuff like this.

    That being said, there are things npm could do to try to auto-detect “risky” packages (new, similar name to existing projects, few downloads, etc.) and require an additional layer of confirmation, or something like that.

    • atheken
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      Also, as far as I can tell, they’re talking about devs that are building on the Roblox platform, not devs that are building the platform.

      In other words, random devs of varying skill levels getting name-squatted.

      It’s not good, but including Roblox in the title is definitely misleading/clickbait.

      • JackbyDev
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        It is a library to work with Roblox, saying Roblox isn’t misleading. I can agree that “Roblox devs” is misleading though.

        • atheken
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          1 year ago

          It’s misleading because it’s irrelevant and makes it sound like a platform breach.

          Try replacing Roblox with “Foozsplatz” and the implication of severity is completely different, even though the nature of what is being reported is unchanged.

          • JackbyDev
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            I’m confused, in this hypothetical is Foozsplatz a non sense word or is it meant to be a game like Roblox? If you mean the first, then yeah, obviously replacing a proper noun with gibberish changes the implication. If you mean the second then no, it would have the same implication.

            • atheken
              link
              fedilink
              arrow-up
              1
              arrow-down
              2
              ·
              edit-2
              1 year ago

              It literally doesn’t matter. You can remove the word and the nature of the problem being discussed is still the same. What platform is being targeted has nothing to do with the example problem. Roblox is only mentioned to sensationalize it and get clicks.

              • JackbyDev
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Roblox is mentioned because it literally was a library for Roblox lmao. That’s not sensationalizing.

                • atheken
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  The thread you are in and my response made it clear that the headline is clickbait by including that irrelevant detail.

                  If they didn’t include that word in the post title, it would have no traction at all.