Hacker News new | ask | show | jobs
by tru3_power 519 days ago
Why not? NPM behaves oddly when there is a public package named the same as one on a private repo, in some cases it’ll fetch the public one instead. I believe it’s called package squatting or something. They might have just been showing that this is possible during an assessment. No harm no foul here imo
2 comments
woodruffw 519 days ago
> They might have just been showing that this is possible during an assessment. No harm no foul here imo

You're not supposed to leave public artifacts or test on public services during an assessment.

It's possible Cursor asked them to do so, but there's no public indication of this either. That's why I qualified my original comment. However, even if they did ask them to, it's typically not appropriate to use a separate unrelated public service (NPM) to perform the demo.

Source: I've done a handful of security assessments of public packaging indices.

link
guappa 519 days ago
Comments here seem to indicate that cursor did NOT ask them to (unless of course someone inside the company did and didn't tell the others)
link
compootr 519 days ago
if Cursor is secure it shouldn't be a problem for them! (and, according to their comments, it is)
link
woodruffw 519 days ago
It's not about being a problem or not. It's a basic responsibility when doing security research: maintaining an isolated test environment is table stakes.
link
mmsc 519 days ago
How should it have been done differently? How else is the researcher supposed to know if the attack works? "Hey random company, we have no proof it's going to work but we think maybe your system, which we can't see, is vulnerable! Go waste time and check!"
link
cheema33 519 days ago
Cursor team has already stated here that they did not ask Snyk to perform a security audit. I wonder if Snyk's actions are equivalent to me coming to your house late at night and then trying to open any and all doors and windows. In the name of security research. Without an invitation from you.

How else am I to validate that your house is secure?

link
compootr 518 days ago
I don't think it's like checking the locks in this case... more like adding a landmine in an apartment complex for cursor to trip on maybe ;)
link
bostik 519 days ago
Local DNS override, and two registries. One mirroring the relevant public NPM packages as they are, and one "normal" internal one. Make the mirror registry resolvable with the same name(s) as the real, public NPM registry.

Then test the behaviour.

link
mmsc 519 days ago
I think there's an incorrect assumption that the Snyk team has any access to Cursor's systems, or their source code.
link
BeefWellington 519 days ago
"No Harm No Foul" in this case would be a simple demonstrative failure case, not functioning malware.
link