re: npm package discovered to have bitcoin-stealing backdoor VIEW POST


They have recently started taking steps towards package signing. I was previously for it but this breach was someone literally handing the keys over to someone else. Signed packages do not account for this scenario since the assumption is the person signing is the person pushing the package.

I'm actually not sure what the answer is here because it's not possible to audit the entire dependency tree. My approach has been to stick to a minimal set and then copy the parts I need from other libraries without adding a dependency on the library I'm copying. This works to some extent but is also not a scalable strategy because sometimes you need to pull in the entire library and its set of transitive dependencies.


Also keep in mind that huge companies and small startups alike all basically depend on the same graph of packages, and nobody noticed in time.

I still can't believe that the maintainer of the package is also the maintainer of other hundreds of packages, that's absurd. Nobody should be in charge of so many dependencies by themselves


I mean programmers at large companies are still regular programmers. Most enterprises will use artifactory and vet their dependencies so I think the only people losing in this are the smaller shops that can't afford the people and infrastructure for mitigating security issues.

The issue was also about stealing cryptocurrency wallets so it makes sense it went unnoticed.

code of conduct - report abuse