Jump to content

'Everything wrong with open source software security' 5 years ago.


crp

Recommended Posts

Is this issue still a problem? Is there some sort of vetting that occurs when new people take over project maintanance?

Quote

A hugely popular open source Javascript npm module had malicious code injected after the original developer handed it over to another unknown person to maintain.

https://www.itnews.com.au/news/unknown-dev-gets-rights-to-popular-module-adds-crypto-stealer-516106

 

Link to comment
Share on other sites

securitybreach

Well this is a problem for most OSs and its not just hackers, governments as well actively try to exploit applications nowadays. Also you have to remember its kind of rare when you hear about this happening with linux and open source. This is literally a daily issue for other OSs. Is it any better? An attack is an attack but I would rather it be a rare thing versus having to worry about a constant attack threat. It's a matter of opsec (operational security) on what you deem a security issue or threat. Something like this, is a non-event for most users. That said, with opensource these things are quickly fixed when found. Most opensource code is audited but smaller project just do not get the amount of views as the more popular ones.

Link to comment
Share on other sites

  • 2 weeks later...

Hello,

 

There have been other issues with other NPM packages, just like there have been issues with web browser extensions after they get sold by the original developer, etc. 

I think there are a lot of people who don't review the source code or just download the precompiled binaries for projects.  It's understandable that not everyone can (or is able to) review all source code before installing a package, though.

Regards,

Aryeh Goretsky


 

  • Like 1
Link to comment
Share on other sites

On 8/3/2022 at 3:58 AM, goretsky said:

Hello,

Case in point: 

 

 

Regards,

Aryeh Goretsky
 

WheW! turns out Stephen's original post left out a lot of context . Things not nearly so bad as indicated.

"35,000 code repos not hacked—but clones flood GitHub to serve malware"

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...