Malicious npm Packages Mimicking 'noblox.js' Compromise Roblox Developers’ Systems (thehackernews.com)

submitted 1 month ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

4 comments fedilink hide all child comments

top 4 comments

sorted by: hot top controversial new old

[-] mosiacmango@lemm.ee 8 points 1 month ago

A real issue, but its also a bit funny an article about impersonation is coming from a site called "thehackernews," a site that is clearly trying to ride the popularity of the much better known forum/news aggregator hackernews.

[-] breadsmasher@lemmy.world 4 points 1 month ago

Why does it seem to be specifically npm packages being attacked/mimicked to spread malware? I don’t see the same for nuget or maven, for example. Not to say they don’t have the same issue, just vastly fewer issues? Maybe I just don’t see the information - is it just that npm is used so much more, in general, so its the best attack vector?

[-] lemmy_in@lemm.ee 10 points 1 month ago

In my (non-expert) opinion, there are a few reasons

NPM is more popular than those other services by an order of magnitude, especially among new developer and startups.
NPM allows for code to be executed while you install the package which is different from maven or nuget and allows for easy exploitation paths

[-] x1gma@lemmy.world 4 points 1 month ago

NPM allows for code to be executed while you install the package which is different from maven or nuget and allows for easy exploitation paths

This is the winner. Combine that with a vastly bigger group of inexperienced developers (and I'm willing to die on that hill), and you have a lot of people running node / npm as an admin / root user, who have close to zero idea what they are doing, hitting their project with third party dependencies left and right for no particular reason (left-pad, is-number, ansi console and similar useless crap), and then your dependency management allows for code execution. Also, from my personal feeling, it seems that npm simply cannot properly audit the packages due to the sheer mass. From a technical standpoint it's close to trivial to put your malware onto npm, and then you just need to get someone to install your package, which is way simpler than in other package managers

this post was submitted on 02 Sep 2024

28 points (96.7% liked)

Cybersecurity

5554 readers

99 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social