This is serious stuff and we will definitely see more of it in the future! As th... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

kevinsimper on Aug 1, 2017 | parent | context | favorite | on: Malicious crossenv package on npm

This is serious stuff and we will definitely see more of it in the future! As there are more and more node.js developers, it will be more profitable to run a scam like this and you only need to hijack one page that has a lot of dependencies, one package that is for example used by `express` to get access to a lot of users.

The only thing you can do is be careful and listen for projects like node security.

romanovcode on Aug 1, 2017 [–]

Or use some other technology.

eropple on Aug 1, 2017 | [–]

There are remarkably few dependency management systems not vulnerable to some variant of this attack.

DCoder on Aug 2, 2017 | | [–]

Then again, a project with <20 dependencies has fewer "entry points" for this attack than a typical NPM project with 500+ transitive dependencies.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact