North korea and others are likely going if not already, setup an uno reverso and get applicants to do screening tests that require downloading malicious packages.
I "got" hacked by a North Korean hacker. I was lucky the dumb virus was meant for Mac and Windows, not Linux. It got installed to my computer but attempted to steal credentials in places there did not exist in my computer, but it was a close call.
Do you use apps built on Electron? The npm packages chosen for inclusion in the app are not sandboxed in any way IIUC (at least on Linux that is the case).
Some security people are warning against Electron (at least on Linux):
A recruiter profile disappeared from my inbox in linkedin after I sent a PR to a github project for a an interview so I got suspicious and checked if there was any unrecognized open connection usng `lsof -nPi | grep ESTABLISHED` and there was one, found the script, read it to see what it did - tried to steal crypto and browser credentials.
To be sure it did not install other stuff I could not find I did a full reinstall of the OS. Now I don't use npm ever again.
It’s weird how an npm package can just do all this still, to this day.
Given the size of the JavaScript ecosystem, it is indeed baffling how behind npm is. One npm i and a typo away from getting hacked.
North korea and others are likely going if not already, setup an uno reverso and get applicants to do screening tests that require downloading malicious packages.
I "got" hacked by a North Korean hacker. I was lucky the dumb virus was meant for Mac and Windows, not Linux. It got installed to my computer but attempted to steal credentials in places there did not exist in my computer, but it was a close call.
After that I never used npm again.
Do you use apps built on Electron? The npm packages chosen for inclusion in the app are not sandboxed in any way IIUC (at least on Linux that is the case).
Some security people are warning against Electron (at least on Linux):
https://github.com/secureblue/secureblue/issues/193#issuecom...
Yeah. Only Codium (VSCode fork) tho and now that I thought about it, time to stop using it.
How did you know? Now I’m worried I’ve been hacked a billion times testing npm packages just today.
> How did you know?
A recruiter profile disappeared from my inbox in linkedin after I sent a PR to a github project for a an interview so I got suspicious and checked if there was any unrecognized open connection usng `lsof -nPi | grep ESTABLISHED` and there was one, found the script, read it to see what it did - tried to steal crypto and browser credentials.
To be sure it did not install other stuff I could not find I did a full reinstall of the OS. Now I don't use npm ever again.