Hacker News new | ask | show | jobs
by LelouBil 276 days ago
I'm also wondering why huge scale attacks like this don't happen for other package managers.

Like, for rust, you can have a build.rs file that gets executed when your crate is compiled, I don't think it's sandboxed.

Or also on other languages that will get run on development machines, like python packages (which can trigger code only on import), java libraries, etc...

Like, there is the post install script issue or course, but I feel like these attacks could have been just as (or almost as) effective in other programming languages, but I feel like we always only hear about npm packages.
4 comments
silverwind 275 days ago
All package managers are vulnerable to this type of attack, it just happens that npm is like 10+ times more popular than the others, so it gets targeted often.
link
voxelghost 276 days ago
Its only JS devs that constantly rebuild their system with full dependcy update, so they are the most attractive target.
link
Onavo 276 days ago
It's a lot harder to do useful things with backend languages. JavaScript is more profitable as you can do the crypto wallet attacks without having to exploit kernel zero days.
link
0x000xca0xfe 275 days ago
It's trivial to run an exploit shell from almost any language when you have non-sandboxed code running on the target machine.
link
Onavo 275 days ago
Yes but outside of dumping user data, there's not much else you can do. Crypto mining will get caught rather quickly (most big clouds ban mining). User data is useful for the type of attacker that's willing to go through the whole blackmarketing selling process. For script kiddies, if you think about it, the easiest pay-off for a social engineering/phishing is a frontend wallet crypto theft.
link
0x000xca0xfe 274 days ago
This has still nothing to do with the language or kernel exploits. Only code execution on a valuable host matters.

You could make a malicious Rust crate that on installation runs a Python shell and injects JavaScript into your browser to extract crypto wallets. There even seems to be a significant overlap of Rust devs/crypto fans.

Also script kiddies don't do social engineering and blackmarket crypto selling, that's 100% professional crime territory. Real-life script kiddie attacks I've seen were more like hacking an ecommerce site and adding bananas as currency.

link
arccy 275 days ago
for the same reason that scams are kind of obvious if you care to look: use of js / npm is an automatic filter for a more clueless target.
link