←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
a022311 ◴[08 Sep 25 17:15 UTC] No.45170937[source]
After all these incidents, I still can't understand why package registries don't require cryptographic signatures on every package. It introduces a bit more friction (developers downloading CI artifacts and manually signing and uploading them), but it prevents most security incidents. Of course, this can fail if it's automated by some CI/CD system, as those are apparently easily compromised.
replies(5): >>45171165 #>>45171479 #>>45175846 #>>45177751 #>>45180040 #
rtpg ◴[09 Sep 25 00:17 UTC] No.45175846[source]
I'm a fan of post-facto confirmation. Allow CI/CD to do the upload automatically, and then have a web flow that confirms the release. Release doesn't go out unless the button is pressed.

It removes _most_ of the release friction while still adding the "human has acknowledged the release" bit.

replies(1): >>45176344 #
eviks ◴[09 Sep 25 01:30 UTC] No.45176344[source]
Maybe even send a user an email notification with a link...
replies(1): >>45178022 #
1. rtpg ◴[09 Sep 25 06:06 UTC] No.45178022[source]
lol granted! But notice how in that universe since npm has to send the link, then access to the link is coupled to access to the email address, serving as an auth factor.

In the attack described above, the attacker did not have access to the victim's email address.