SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
Didn’t pypi have the worm too recently?
Also I have no idea why npm is worse offender than most? Is it that the install scripts can you execute any code they want?
I think it’s because JavaScript devs have a more promiscuous culture of code reuse than most. In what other language community would something like left-pad justify being its own package?
Because there is a much larger number of small libraries that end up in every project somewhere down the tree. So: higher count of opportunities.
Because JS is much more popular than any other language and is used in virtually every web project. So: higher impact when successfully executing a supply chain attack. (this is the same reason why Windows has more viruses than linux or osx: not because linux and osx are intrinsically more secure - even if they are, that’s never going to be the main factor - but because there are a lot more tech illiterate users with Windows than the others)
NPM isn’t particularly less secure, it’s just more attractive to exploit.
Yes. Install scripts. But also pypi started enforcing 2fa for package pushes, which helps a lot.