Most active commenters
  • __MatrixMan__(5)

←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 15 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source | bottom
Show context
DDerTyp ◴[08 Sep 25 16:16 UTC] No.45170133[source]
One of the most insidious parts of this malware's payload, which isn't getting enough attention, is how it chooses the replacement wallet address. It doesn't just pick one at random from its list.

It actually calculates the Levenshtein distance between the legitimate address and every address in its own list. It then selects the attacker's address that is visually most similar to the original one.

This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit of only checking the first and last few characters of an address before confirming a transaction.

We did a full deobfuscation of the payload and analyzed this specific function. Wrote up the details here for anyone interested: https://jdstaerk.substack.com/p/we-just-found-malicious-code...

Stay safe!

replies(5): >>45170393 #>>45170458 #>>45172015 #>>45173594 #>>45180351 #
1. __MatrixMan__ ◴[08 Sep 25 20:33 UTC] No.45173594[source]
We should be displaying hashes in a color scheme determined by the hash (foreground/background colors for each character determined by a hash of the hash, salted by that character's index, adjusted to ensure sufficient contrast).

That way it's much harder to make one hash look like another.

replies(2): >>45173822 #>>45174403 #
2. Spivak ◴[08 Sep 25 20:52 UTC] No.45173822[source]
Not sure why you're being downvoted, OpenSSH implemented randomart which gives you a little ascii "picture" of your key to make it easier for humans to validate. I have no idea if your scheme for producing keyart would work but it sounds like it would make a color "barcode".
replies(2): >>45175884 #>>45179452 #
3. 9dev ◴[08 Sep 25 21:42 UTC] No.45174403[source]
As someone with red/green vision deficiency: if you do this, please don’t forget people like me are unable to distinguish many shades of colours, which would be very disadvantageous here!
replies(2): >>45174951 #>>45175869 #
4. AaronAPU ◴[08 Sep 25 22:32 UTC] No.45174951[source]
It’s not like it would hurt you for there to be supplementary info others can see but you can’t.
replies(2): >>45177331 #>>45179602 #
5. __MatrixMan__ ◴[09 Sep 25 00:21 UTC] No.45175869[source]
You could still ignore the colors and just read the characters, like people do now, and you could still use whatever color cues you are sensitive to.
6. __MatrixMan__ ◴[09 Sep 25 00:23 UTC] No.45175884[source]
If you ignored the characters and just focused on the background colors, yeah I suppose it would look like a barcode. But the way I envision it, each line on the barcode is a character, so it still copy/pastes into notepad as the original text, but it'll copy/paste into word as colored text with colored background.
7. macintux ◴[09 Sep 25 04:15 UTC] No.45177331{3}[source]
And it's not like it would hurt the developers to be conscious of their choices.
replies(1): >>45178678 #
8. zarzavat ◴[09 Sep 25 07:32 UTC] No.45178678{4}[source]
There's actually nothing the developers can do about this particular issue other than to display all colors and allow colorblind people to see the colors that they can see.
replies(2): >>45178825 #>>45180136 #
9. bbarnett ◴[09 Sep 25 07:48 UTC] No.45178825{5}[source]
For the newly made up feature, which doesn't exist yet, but already has an issue?

Simple. Instead of forcing colour, one could retain a no colour option maybe?

Done. Solved.

Everything should have this option. I personally have no colour vision issues, other than I find colour annoying in any output. There's a lot who prefer this too.

replies(3): >>45179578 #>>45180179 #>>45183283 #
10. Macha ◴[09 Sep 25 09:04 UTC] No.45179452[source]
I have to say the openssh random art has never really helped for me - I see each individual example so infrequently and there's so little detail to remember that it may as well just be a hash for all the memorability it doesn't add
11. ◴[09 Sep 25 09:21 UTC] No.45179578{6}[source]
12. gblargg ◴[09 Sep 25 09:22 UTC] No.45179602{3}[source]
I think 9dev was saying that providing only a colorized version might make it unreadable to some people, not merely that they wouldn't benefit from the extra color information.
13. __MatrixMan__ ◴[09 Sep 25 10:38 UTC] No.45180136{5}[source]
It doesn't matter which colors the algorithm chooses so long as background/foreground are very distinguishable to as wide an audience as possible, and prev/next are likely to be distinguishable more often than not.

That's a lot of flexibility within which to do clever color math which accounts for the types of colorblindness according to their prevalence.

14. __MatrixMan__ ◴[09 Sep 25 10:43 UTC] No.45180179{6}[source]
Agreed, although I would argue that maximal hash contrast should be default, and if people find they prefer less, they can turn it down.

If you're the sort of person who would think about adjusting it to suit your sensitivity to this kind of attack, you're likely not the sort of person that the feature is trying to protect anyhow.

15. mdaniel ◴[09 Sep 25 15:26 UTC] No.45183283{6}[source]
Team https://no-color.org/ for life

One will not be surprised to see that Chalk chooses its own path via the stunningly opaque FORCE_COLOR=0 and is all :fu: to people who suggest otherwise <https://github.com/chalk/chalk/issues/547#issuecomment-11268...> One will especially enjoy the "get bent" response because I discovered that one issue by, you know, searching the issues <https://github.com/chalk/chalk/issues?q=is%3Aissue%20NO_COLO...>