The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,519 other followers

GitHub’s commitment to npm ecosystem security | The GitHub Blog – no npm package can historically ben tracked to be authentic

Posted by jpluimers on 2021/11/18

What started as [Wayback/Archive] GitHub’s commitment to npm ecosystem security | The GitHub Blog with this qoute:

on November 2 we received a report to our [Wayback/Archive] security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. …

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. … the timeframe for which we have available telemetry, which goes back to September 2020 …

This basically means you cannot trust the authenticity of any npm package published through the registry.

It sparked reactions like these:

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: