|
|
|
|
|
|
by gwmnxnp_516a
1558 days ago
|
|
|
This node npm supply chain attack incident is a wake up call that the current security model of mainstream operating systems such as Linux, MacOSX or Windows are no longer suitable for modern day threats and they need a "zero-trust" like model for applications. Mitigating supply chain attacks like this one requires adopting application sandboxing by default, assuming that any application can be compromised, and capability-based security model like Fuchsia, Genode OS or mobile operating systems like Android or Apple's IOS. In the case of Linux, the most suitable sandboxes are docker container and Firejail tool that can restrict operating system resources which an application can access, including the $HOME directory. Firejail can even provide a fake $HOME directory. In the case of Microsoft windows, there is the Windows Sandbox, but it is only available on Windows pro or enterprise. But even so those countermeasures would only prevent the user data from being damaged, malicious NPM packages could still attempt to send credentials, tokens or database information back to the attacker. More details at: https://hkubota.wordpress.com/2020/12/31/comparing-sandboxin... and https://docs.microsoft.com/en-us/windows/security/threat-pro.... Another suitable mitigation strategy may be lock dependencies version or switch to other programming languages with a proper standard library and limited number of packages where one can at least audit the code. |
|
|