NPM yana ci gaba da matsalolin tsaro kuma yanzu ɗayan ya shafi tsarin sabuntawa

Darkcrizt

4 minti

Wasu kwanaki da suka gabata GitHub ya bayyana abubuwa biyu da suka faru a cikin kayan aikin ajiya na NPM, wanda ya ba da cikakken bayani cewa a ranar Nuwamba 2, masu binciken tsaro na ɓangare na uku a matsayin wani ɓangare na shirin Bug Bounty sun sami rauni a cikin ma'ajiyar NPM. wanda ke ba da damar buga sabon sigar kowane fakiti ta amfani da shi ko da yake ba shi da izini don yin irin wannan sabuntawa.

Rashin lafiyar ya faru ne ta hanyar bincikar izini mara daidai a lambar microservices Wannan tsari yana buƙatar NPM. Sabis ɗin izini ya yi rajistar izini kan fakitin dangane da bayanan da aka aika a cikin buƙatun, amma wani sabis ɗin da ke loda sabuntawa zuwa ma'ajiyar ya ƙaddara fakitin don bugawa dangane da abun ciki na metadata a cikin fakitin da aka ɗora.

Don haka, maharin na iya buƙatar buga sabuntawa don kunshin nasa, wanda yake da damar zuwa gare shi, amma ya nuna a cikin kunshin kansa bayanai game da wani fakitin, wanda a ƙarshe za a sabunta.

A cikin 'yan watannin da suka gabata, ƙungiyar npm ta kasance tana saka hannun jari a cikin ababen more rayuwa da inganta tsaro don sarrafa sarrafa sa ido da nazarin juzu'in fakitin da aka fitar kwanan nan don gano malware da sauran lambar ɓarna a cikin ainihin lokaci.

Akwai manyan nau'ikan malware guda biyu waɗanda ke faruwa a cikin yanayin yanayin npm: malware wanda aka buga saboda satar asusu, da malware waɗanda maharan ke aikawa ta asusunsu. Duk da cewa sayan asusu mai tasiri ba safai ba ne, idan aka kwatanta da malware kai tsaye da maharan suka buga ta yin amfani da asusun nasu, sayan asusu na iya kaiwa ga nisa lokacin da aka yi niyya ga shahararrun masu kula da kunshin. Yayin da lokacin gano mu da lokacin mayar da martani ga sanannen fakitin saye ya yi ƙasa da mintuna 10 a cikin abubuwan da suka faru na baya-bayan nan, muna ci gaba da haɓaka ƙarfin gano malware ɗin mu da dabarun sanar da mu zuwa mafi kyawun samfurin amsawa.

Matsalar an gyara shi sa'o'i 6 bayan an ba da rahoton raunin, amma raunin ya kasance a cikin NPM ya fi tsayi fiye da abin da gundumomin telemetry ke rufewa. GitHub ya bayyana cewa babu alamun harin ta amfani da wannan raunin tun Satumba 2020, amma babu tabbacin cewa ba a yi amfani da matsalar a baya ba.

Lamarin na biyu ya faru ne a ranar 26 ga watan Oktoba. A yayin aikin fasaha tare da bayanan sabis na replicant.npmjs.com, an bayyana cewa akwai bayanan sirri a cikin rumbun adana bayanan da ake samu don tuntubar juna, Bayyana bayanai game da sunayen fakitin ciki waɗanda aka ambata a cikin canjin canji.

Bayani akan wadancan sunayen za a iya amfani da su don kai hare-haren dogara kan ayyukan cikin gida (A cikin Fabrairu, irin wannan harin ya ba da damar lambar yin aiki akan sabar PayPal, Microsoft, Apple, Netflix, Uber, da wasu kamfanoni 30.)

Har ila yau, dangane da karuwar kame wuraren ajiyar manyan ayyuka da haɓaka lambar ɓarna ta hanyar yin sulhu da asusun masu haɓakawa, GitHub ya yanke shawarar gabatar da tilas tabbatar da abubuwa biyu. Canjin zai fara aiki a cikin kwata na farko na 2022 kuma zai shafi masu kulawa da masu gudanarwa na fakitin da aka haɗa cikin jerin shahararrun. Bugu da ƙari, an ba da bayanai game da sabunta abubuwan more rayuwa, wanda za a gabatar da sa ido ta atomatik da nazarin sabbin nau'ikan fakitin don fara gano sauye-sauye na ɓarna.

Ka tuna cewa bisa ga binciken da aka gudanar a cikin 2020, kawai 9.27% ​​na manajojin kunshin suna amfani da ingantattun abubuwa guda biyu don kare damar shiga, kuma a cikin 13.37% na lokuta, lokacin yin rajistar sabbin asusu, masu haɓakawa sun yi ƙoƙarin sake amfani da kalmomin shiga da suka lalace waɗanda ke bayyana a cikin sanannun kalmomin shiga. .

Lokacin duba ƙarfin kalmomin shiga da aka yi amfani da su, kashi 12% na asusu a cikin NPM (13% na fakitin) an shiga su saboda amfani da kalmar sirri da ake iya tsinkaya da marasa ƙarfi kamar "123456". Daga cikin matsalolin akwai asusun masu amfani 4 na fakiti 20 da suka fi shahara, asusu 13 da aka zazzage fakitin su fiye da sau miliyan 50 a kowane wata, 40 - fiye da zazzagewa miliyan 10 a kowane wata da 282 tare da sama da miliyan 1 zazzagewa a wata. Yin la'akari da nauyin ƙirar tare da jerin abubuwan dogaro, yin sulhu da asusun da ba a amince da shi ba zai iya yin tasiri har zuwa 52% na duk kayayyaki a cikin NPM gabaɗaya.

A ƙarshe, idan kuna sha'awar ƙarin sani game da shi zaka iya duba bayanan A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.