alt Hacker NewsAxios compromised on NPM – Malicious versions drop remote access trojan
Comments
Guix saves you from this. You can import NPM packages in a container (not even touching $HOME) and giving you a shell on the spot with just the dependencies and nothing more.
Learn about 'guix import'.
Oh, and you can install Guix on any GNU/Linux distro.
I've been saying for ages, use xmlhttprequest, or hell, even fetch().
Stop downloading code from the internet unless it's a major strategic decision.
Just a reminder that you can run most node things with deno run and have opt in permissions, audit trail and even external permission system integration now. The gotcha is that "deno task <<some package.json script>>" will NOT execute with this model which I find extremely unintuitive and had me thinking deno abandoned its sandbox for nodejs compatibility completely.
174025 dependents.
My first thought was does VS Code Insiders use it (or anything it relies on, or do any extensions etc). Made me think.
Default setting latest should be caught in every static code scanner. How many times has this issue been raised.
Is this an issue for those only using axios on the frontend side like in a VueJS app?
[dead]
npm really needs to provide a options to set individual packages to only be publishable via trusted publishing.
PSA: Make sure to set a minimum release age and pin versions where possible.
Pin your dependencies folks! Audit and don't upgrade to every brand new version.
Glad to be using native fetch.
Please can we just have a 2FA step on publishing? Do we really need a release to be entirely and fully automated?
It won't stop all attacks but definitely would stop some of these
Running almost anything via npx will trigger this
Reset the clock
I lost respect for Axios when they made a breaking change in a patch release. Digging into the root cause, I found the maintainer had approved an outside PR with an obvious AI slop PR description: https://github.com/axios/axios/issues/7059
Looks like the maintainer wasn't just careless when reviewing PRs.
One paragraph is written two times??
first day at hacker news and this is the first post i saw
I have a few projects which rely on npm (and react) and every few months I have to revisit them to do an update and make sure they still build, and I am basically done with npm and the entire ecosystem at this point.
Sure, its convenient to have so much code to use for basic functionality - but the technical debt of having to maintain these projects is just too damn high.
At this point I think that, if I am forced to use javascript or node for a project, I reconsider involvement in that project. Its ecosystem is just so bonkers I can't justify the effort much longer.
There has to be some kind of "code-review-as-a-service" that can be turned on here to catch these things. Its just so unproductive, every single time.
NPM gets worse than russian roulette. Perhaps we have to rename russian roulette to node roulette: noulette.
The NPM ecosystem is a joke. I don't even want anything to do with it, because my stack is fully Elixir. But, just because of this one dependency that is used in some interfaces within my codebase, I need to go back to all my apps and fix it. Sigh.
JavaScript, its entire ecosystem is just a pack of cards, I swear. What a fucking joke.
If someone from github is reading this, https://github.com/axios/axios/issues/10604#issuecomment-416...
I think that jason might like if someone from github team can contact them as soon as possible.
(8 minutes ago at the time of writing)
compiled JS solves a problem that no longer exists. IE6 is dead RIP.
Now we have a 20MB main.min.js problem
Has anyone tested general purpose malware detection on supply chains ? Like clamscan . I tried to test the LiteLLM hack but the affected packages had been pulled. Windows Defender AV has an inference based detector that may work when signatures have not yet been published
Hopefully desktop Linux users will start to understand that malware actually does exist for Linux and that their operating system is doing nothing to protect them from getting RATed.
Coded has zero nom dependencies. Neat!
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
Lmao
It's reasons like this why I refuse to download Node or use anything NPM. Thankfully other languages are better anyways.
local [fuction][Password and Key and DMS] Axes [Password and K [UserID] --1234567890-- [Hacking error Message -- Hello -- hacker typer --97283710-- Security
I wonder if this has any connection with the recent string of attacks including the FBI director getting hacked. The attack surface is large, executed extremely cleanly - almost as if done by a high profile state sponsored actor, just like in Hollywood movies.