Hacker News new | ask | show | jobs
by capableweb 1298 days ago
Likely because they don't really care about the root causes, they are not spending time reviewing a barely used package in order to learn something new or for the betterment of the world as a whole, the article is trying to sell their tooling for detecting malicious packages. Understanding the root cause wouldn't help with that.
1 comments
christophetd 1298 days ago
One of the authors of the post here. We prefer sticking to the facts rather than speculating the account was compromised without having a solid proof. Someone on /r/netsec also had an interesting theory that this might be an intentional backdoor[1].

For what it's worth, the project referred to in the post is free, open-source, and unrelated to the commercial offering.

[1]: https://www.reddit.com/r/netsec/comments/z30465/comment/ixlj...

link
denton-scratch 1298 days ago
And yet you go ahead and speculate that the account "was likely compromised", without saying what facts inclined you to that opinion.
link
christophetd 1298 days ago
We just updated the wording. Thanks for the feedback.
link
denton-scratch 1298 days ago
You seem to have updated the wording to "has been backdoored by a malicious actor". Isn't that more speculation, with the tentativeness removed? What facts incline you to believe it was a malicious actor, and not the maintainer?
link
christophetd 1298 days ago
If the maintainer themselves added the backdoor, can't they be considered a malicious actor?
link
denton-scratch 1298 days ago
Yes, that's true. And I agree that there is some malicious actor; a bag of Base64-encoded code doesn't get inserted as an innocent accident. But the way you've expressed yourself, more than once, suggests you have reason to believe the malicious actor is other than the maintainer.

Do you have any evidence, one way or the other?

Let's not chop logic. I don't think you've been completely frank about this. The commit was signed by the maintainer, right, using a private key? That means the maintainer "done it", absent evidence to the contrary. And apparently the maintainer is silent.

link
capableweb 1298 days ago
> It is possible the original developer of the package had their account compromised and used by a malicious actor.

> whose maintainer's account was likely compromised by a malicious actor

Seems to still be speculating about the cause without diving deeper into the topic, or is there some cache invalidation of the article that is missing perhaps?

link
christophetd 1298 days ago
Yes, that would be caching. We kept the first sentence, as it's still possible his account was compromised (we have no strong evidence to prove it, but no strong evidence to refute it either).
link
capableweb 1298 days ago
> we have no strong evidence to prove it, but no strong evidence to refute it either

How is that different than "speculation"? That sounds like textbook definition of "speculation".

"Speculation - the activity of guessing possible answers to a question without having enough information to be certain"

link