←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.21s | source
Show context
a022311 ◴[08 Sep 25 17:15 UTC] No.45170937[source]
After all these incidents, I still can't understand why package registries don't require cryptographic signatures on every package. It introduces a bit more friction (developers downloading CI artifacts and manually signing and uploading them), but it prevents most security incidents. Of course, this can fail if it's automated by some CI/CD system, as those are apparently easily compromised.
replies(5): >>45171165 #>>45171479 #>>45175846 #>>45177751 #>>45180040 #
parliament32 ◴[08 Sep 25 17:31 UTC] No.45171165[source]
Real registries do[1], npm is just amateur-hour which is why its usage is typically forbidden in enterprise contexts.

[1] https://www.debian.org/doc/manuals/securing-debian-manual/de...

replies(3): >>45171532 #>>45171856 #>>45176279 #
1. herpdyderp ◴[09 Sep 25 01:20 UTC] No.45176279[source]
It sure hasn’t been forbidden in any enterprise I’ve been in! And they, in my experience, have it even worse because they never bother to update dependencies. Every install has lots of npm warnings.