1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
Conversation
Notices
-
Lance R. Vick (lrvick@mastodon.social)'s status on Wednesday, 11-May-2022 05:39:35 UTC 
Lance R. Vick
- Santa Claes πΈπͺππ°π likes this.
- Santa Claes πΈπͺππ°π repeated this.
-
Lance R. Vick (lrvick@mastodon.social)'s status on Wednesday, 11-May-2022 05:44:55 UTC
Lance R. Vick
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
Santa Claes πΈπͺππ°π likes this. -
Lance R. Vick (lrvick@mastodon.social)'s status on Wednesday, 11-May-2022 05:46:51 UTC
Lance R. Vick
@wolf480pl Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can't trust NPM.
Santa Claes πΈπͺππ°π likes this. -
Wolf480pl (wolf480pl@mstdn.io)'s status on Wednesday, 11-May-2022 05:46:52 UTC
Wolf480pl
@lrvick what do you plan to do with such power?
-
Lance R. Vick (lrvick@mastodon.social)'s status on Wednesday, 11-May-2022 05:47:15 UTC
Lance R. Vick
@technicallypossible @wolf480pl I don't recommend trusting me... or any single individual, with this kind of power.
If someone asks me nicely with a rubber hose, I will be obliged to hand over access.
There is a reason the name of my company is "Distrust"
Distrust should lead to Distributed Trust.
Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.
Santa Claes πΈπͺππ°π likes this. -
TechnicallyPossible (technicallypossible@chaos.social)'s status on Wednesday, 11-May-2022 05:47:23 UTC
TechnicallyPossible
@lrvick can we trust you more than we can trust npm?
@wolf480plSanta Claes πΈπͺππ°π repeated this. -
Sandra (sandra@idiomdrottning.org)'s status on Wednesday, 11-May-2022 05:48:48 UTC
Sandra
@lrvick
Why is it so much more often NPM we see in these disasters and so seldom Debian or even Gem or CPAN? -
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 11-May-2022 05:48:48 UTC 
Santa Claes πΈπͺππ°π
@Sandra @lrvick It is theoretically possible to be a an active community member in the projects of your pypi/CPAN/rubygems/Debian dependencies.
Not so with the typical npm dependency tree. The culture is completely different. Your transitive dependences will typically count in the hundreds rather than a handful.
Arguably those hyper-prolific authors that maintain 390 published packages cannot even be active community members of their own packages, which could be said to be a contributing reason for that Tarr incident. -
federico (federico3@mastodon.social)'s status on Wednesday, 11-May-2022 06:14:24 UTC
federico
@Sandra @lrvick Because in #Debian it takes multiple pairs of eyes to review and approve a package. Packages are signed and Debian Developers sign each other cryptographic keys after meeting in person and verifying passports. To become a Debian Developer one needs to prove commitment by contributing for years, receiving mentoring and passing interviews and exams.
Santa Claes πΈπͺππ°π likes this. -
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 11-May-2022 06:17:30 UTC
Santa Claes πΈπͺππ°π
@Sandra @lrvick It's entirely cultural when you're comparing pypi, rubygems and npm. For Debian as noted by @federico3 there are clear governance differences. -
Sandra (sandra@idiomdrottning.org)'s status on Wednesday, 11-May-2022 06:17:31 UTC
Sandra
@clacke @lrvick
But are there any architectural differences? Central compilation, NMU etc? -
Nulliver (nulliver@mastodon.technology)'s status on Thursday, 12-May-2022 00:26:36 UTC
Nulliver
Santa Claes πΈπͺππ°π likes this.
All Chirp! content and data are available under the