I think I'm gonna snap.
A shitty JavaScript program shouldn't be able to do that, but this is UNIX.
And with that one simple trick the entire conflict comes to an end.
This should be done to all JavaScript programmers, not just the Russian ones.
>>5
Easy with the transphobia, bro.
>>6
Nobody was talking about Rust.
>>7
Easy with the super straight phobia, bro.
>>1
Where does it say that it wipes your disk? All I could find is that it creates a "peace, not war" file.
Looks like it used to overwrite all your files with unicode hearts but it has been changed to just create that file.
Heh. it's also on the news now: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
And it now has its own OFFICIAL advisories:
https://github.com/advisories/GHSA-97m3-w2cp-4xx6
https://nvd.nist.gov/vuln/detail/CVE-2022-23812
>>> import binascii
>>> binascii.a2b_base64 ("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=")
b'https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154'
$ for s in $(grep -E -oe 'Buffer.from[^(]*\([^)]*\)' code.txt | sed -r -e 's/^[^"]*"([^"]+)".+$/\1/'); do echo "$s -> $(echo "$s" | base64 -d)"; done
aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ= -> https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
Li8= -> ./
Li4v -> ../
Li4vLi4v -> ../../
Lw== -> /
Y291bnRyeV9uYW1l -> country_name
cnVzc2lh -> russia
YmVsYXJ1cw== -> belarus
4p2k77iP -> ❤️
$
❤️
>>> binascii.a2b_base64 ("4p2k77iP")
b'\xe2\x9d\xa4\xef\xb8\x8f'
>>> bytes.decode (_, "utf-8")
'❤️'
>>> " ".join (map (lambda ch: hex (ord (ch)), _))
'0x2764 0xfe0f'
0x2764 0xfe0f
❤ U+2764 So HEAVY BLACK HEART [Dingbats]
U+FE0F Mn VARIATION SELECTOR-16 [Variation Selectors]
https://gist.github.com/ckcr4lyf/6d96c2bf42ec31c6362053ea275d80d5
Explanation of the malware in node-ipc
Hello, is this /pol/?
>>17
I won't support any software that is malware. Also, install Gentoo and read your SICP.
The author, Brandon Nozaki Miller, should be locked up in jail for the crime.
updated readme.md
+ Thanks for all the free pizza, and thanks to all the police that showed up to SWAT me. They were really nice fellas.
+
>>18
How about malware that prints out the entire SICP and overwrites your disk with Gentoo?
>>20
Does he actually think this gay shit is going to distract people from what he did?
>>20
>>22
Is there any proof that the profiles he linked to are actually his and he's not just baiting people?
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY
What did MIT mean by this?
>>25
That in no event shall the authors or copyright holders be liable for any claim, damages or other liability.
>>24
Even still, software that you write shouldn't be malware.
I would be surprised if there was even just a single Schemer on this site who did not try their hands at writing viruses as a rebellious teenager.
https://github.com/RIAEvangelist/node-ipc/pull/572
Delete Polish People's And French People's Files Also #572
In Addition, IMade Changes so That French People Will Have Files Overwritten with Baguette Emoji Instead Of Heart
const isFrench = u.includes("france");
[...]
let overwriter = '❤️'; // heart emoji
if (isFrench) {
overwriter = '🥖'; // baguette
}
>>29 This, but with a guillotine instead of a baguette
>>24
Amen. Me and my gf have been laughing at this for days now.
Remember the edict of READ ALL YOUR CODE? Some people don't even nead the license and install!
Someone write a State letter for >>27. They
haven't stopped the 14 eyes yet.
PS: you are right. French people smell.
Kasane Teto likes baguette with margarine.
The JavaScript version of SICP should add node-ipc as a dependency.
>>24
National laws against malware have a higher precedence than software licenses.
Open source software will wipe your disk if you're Russian
Don't worry. We are safe from the menace of open source software because SchemeBBS on textboard.org uses proprietary software in /sandbox/.
https://fossil.textboard.org/misc/home
Realistically, package managers are necessary in real-life production environments.
Is there a way to prevent this kind of package manager supply chain attacks?
Python's pip has support for repeatable installs and secure installs by comparing the checksums of the downloaded packages against a local list of checksums.
https://pip.pypa.io/en/stable/topics/repeatable-installs/
https://pip.pypa.io/en/stable/topics/secure-installs/
In the Java world, Maven Central could be the single point of failure. Maven verifies checksums, but those checksums are obtained from the same source as the packages. Hackers could replace legitimate packages with malicious ones, and replace legitimate checksums with the checksums of the malicious packages. No warnings or errors when the user downloads the malicious package because the checksum would be "correct".
The situation is even worse in the Common Lisp world. Quicklisp downloads over HTTP and doesn't even verify checksums. Quicklisp is stuck in the 20th century, just like Common Lisp.
As for Scheme, it has no widely used package managers to speak of ...
How is the situation in the Node.js world? What methods can JavaScripters use to avoid these supply chain attacks? I heard that the best practice is to use npm ci
instead of npm install
.
Short of using a self-hosted package repository where you manually vet every package, I think the best way to avoid these attacks is to use version pinning for all dependencies. Each listed dependency should also have a locally stored checksum for verification after downloads.
>>38
I personally don't think it should be made easier to pull in external libraries. It encourages developers to pull in libraries which pull in libraries which pull in libraries ad infinitum. I've built seemingly simple rust programs that pulled in hundreds of dependencies.
Then in the javascript world you regularly see packages that indirectly pull in thousands of dependencies, including stuff like this https://jeremyaboyd.com/post/there-s-a-package-for-that
Of course there is a case for pulling in libraries that solve complex problems instead of forcing everyone to independently solve then, but it seems that the easier it is to pull in deps the dumber developers act.
When your code has hundreds of external library dependencies, how do you make sure that the libraries you downloaded last month during development are exactly the same as the ones you downloaded today for re-building your code?
I think we should move towards reproducible builds (e.g. Guix) or use cryptographic signing (like Debian's APT) or use the "checksum pinning" method mentioned in >>38, which I think every package manager should support if they do not have any better methods.
Are Rust's package manager (Cargo) and Go's go get secure? I heard that npm used to not check anything.
Common Lisp
Scheme
There is the GNU Guix package manager (that can be used on other distros).
I think the best way to avoid these attacks is to use version pinning for all dependencies.
This.
You should (be able to) pin all dependencies to a particular version/commit. And all packages should be signed.
And all packages should be signed.
And if that is not feasible for whatever reason, there should at least be support for storing the checksum of each package inside the file where all dependencies are pinned to a particular version/commit.
e.g.
lib-a v1.23 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
lib-b v4.56 53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3
...
Unbelievably based.