upvote

points

by Tomte4 hours ago |
comments
upvoteby exitb4 hours ago|
next
[-]
Well, if that actually works, it should be part of the release process, before the packages get placed onto the regular channels.
reply
upvoteby pixl971 hours ago|
parent|
next
[-]
It works because there are multiple companies doing it and double checking the results.

For example, is a crypto miner actually an attack? If the package presents itself as a miner, then no. Is connections to other repositories an attack? Again, depends on what the package does. Connections to some other hostname? Depends.

There is still a lot of human analysis that occurs in making the call that an attack is occurring.

reply
upvoteby blm1263 hours ago|
parent|
prev|
[-]
I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package.

None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually.

reply
upvoteby ZiiS3 hours ago|
prev|
next
[-]
@exitb it is much more desirable for security scanning companies to compete to find issues in a timely manor. If npm blessed one as a gatekeeper to the whole system they would be between a rock and a hard place. Unable to priorities high impact packages over the long tail of packages no one uses without pissing people off. Unable to add experimental new detections that may be a little noisy at first due to the huge disruption it would cause. Be trivial to game as obscure packages could brute-force their way though then use the same hole on a mainstream package.
reply
upvoteby sandos3 hours ago|
prev|
[-]
Then the ... malware will just add delays? Or do they really do manual in-depth analysis of all new code? Just running and seeing it do things is probably a lot easier.
reply
upvoteby Ukv2 hours ago|
parent|
[-]
Security scanners won't be "manual in-depth analysis of all new code" or "Just running and seeing it do things", but somewhere in-between - utilizing static analysis/machine learning. It's a cat-and-mouse game, but the attacker adding code that waits X days to run something obfuscated would be another pattern that they could look for.

I think these attackers are unlikely to add a delay in the first place because the chance of their attack being found out before it activates would be too high. They seem to generally work on the assumption that they have a day or so before the package is yanked (e.g: from maintainer noticing their account is compromised) so need to move fast.

reply