←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.208s | source
Show context
a022311 ◴[08 Sep 25 17:15 UTC] No.45170937[source]
After all these incidents, I still can't understand why package registries don't require cryptographic signatures on every package. It introduces a bit more friction (developers downloading CI artifacts and manually signing and uploading them), but it prevents most security incidents. Of course, this can fail if it's automated by some CI/CD system, as those are apparently easily compromised.
replies(5): >>45171165 #>>45171479 #>>45175846 #>>45177751 #>>45180040 #
Joker_vD ◴[08 Sep 25 17:51 UTC] No.45171479[source]
Mmm. But how does the package registry know which signing keys to trust from you? You can't just log in and upload a signing key because that means that anyone who stole your 2FA will log in and upload their own signing key, and then sign their payload with that.

I guess having some cool down period after some strange profile activity (e.g. you've suddenly logged from China instead of Germany) before you're allowed to add another signing key would help, but other than that?

replies(3): >>45171885 #>>45172728 #>>45172882 #
1. 9dev ◴[08 Sep 25 18:21 UTC] No.45171885[source]
Supporting Passkeys would improve things; not allowing releases for a grace period after adding new signing keys and sending notifications about this to all known means of contact would improve them some more. Ultimately, there will always be ways; this is as much a people problem as it is a technical one.