GitHub ichangobva kuburitsa dzimwe shanduko kuNPM ecosystem maererano nezvinetso zvekuchengetedza zvave zvichimuka uye chimwe chezvichangobva kuitika ndechokuti vamwe vanorwisa vakakwanisa kutora coa NPM package uye vakabudisa zvinyorwa 2.0.3, 2.0.4, 2.1.1, 2.1.3 uye 3.1.3. XNUMX, iyo yaisanganisira shanduko dzakaipa.
Maererano neizvi uye nekuwedzera kwezviitiko zve repositories pfari yemapurojekiti makuru uye kusimudzira kodhi yakaipa Kuburikidza nekukanganisika kwemaakaundi emugadziri, GitHub iri kuunza yakawedzerwa account yekuongorora.
Zvakaparadzana, kune vanochengeta uye vatariri vemazana mazana mashanu anozivikanwa zvikuru NPM mapakeji, inosungirwa maviri-chinhu chechokwadi ichaunzwa kutanga kwegore rinouya.
Kubva Zvita 7, 2021 kusvika Ndira 4, 2022, vese vanochengeta vane kodzero yekuburitsa NPM mapakeji, asi avo vasingashandise-mbiri-chinhu chechokwadi, vanozoendeswa kuti vashandise yakawedzera account verification. Yakawedzerwa verification inosanganisira kudiwa kwekuisa yakasarudzika kodhi inotumirwa neemail paunenge uchiedza kupinda npmjs.com saiti kana kuita yakatendeseka oparesheni mune npm utility.
Yakawedzerwa verification haitsivire asi inongowedzera sarudzo mbiri-factor huchokwadi yaimbovepo, izvo zvinoda kuongororwa mapassword enguva imwe chete (TOTP). Yakawedzerwa email verification haishande kana maviri-factor authentication akagoneswa. Kutanga Kukadzi 1, 2022, maitiro ekuenda kune anosungirwa maviri-zvinhu kusimbiswa kwezana anonyanya kufarirwa NPM mapakeji ane anotsamira zvakanyanya achatanga.
Nhasi tiri kuunza iyo yakagadziridzwa yekuongorora yekurodha munpm registry, uye isu tichatanga kuburitsa kwakadzikama kwevanochengetedza kutanga muna Zvita 7 uye kupedzisa muna Ndira 4. Npm registry vagadziri vane mukana wekushambadza mapakeji uye vasina mbiri-chinhu chechokwadi (2FA) inogoneswa vanogashira email ine imwe-nguva password (OTP) pavanenge vachisimbisa kuburikidza nenpmjs.com webhusaiti kana iyo Npm CLI.
Iyi email yeOTP inoda kupihwa mukuwedzera kune password yemushandisi isati yaita chokwadi. Iyi yekuwedzera dhizaini yehuchokwadi inobatsira kudzivirira kurwiswa kwakajairwa kweakaundi account, sekunge kuvharwa, izvo zvinoshandisa password yemushandisi yakakanganiswa uye yakashandiswazve. Izvo zvakakosha kuti uzive kuti Enhanced Login Verification inoitirwa kuve imwe yekutanga dziviriro kune vese vaparidzi. Haisi kutsiva 2FA, NIST 800-63B. Isu tinokurudzira vachengeti kuti vasarudze 2FA yekusimbisa. Nekuita izvi, hauzodi kuti uite yakagadziridzwa login verification.
Mushure mekupedza kutama kwezana rekutanga, shanduko ichaparadzirwa kune mazana mashanu anozivikanwa zvikuru NPM mapakeji. maererano nehuwandu hwekutsamira.
Pamusoro peiyo iripo ikozvino application-yakavakirwa maviri-chinhu chechokwadi zvirongwa zvekugadzira-imwe-nguva mapassword (Authy, Google Authenticator, FreeOTP, nezvimwewo), muna Kubvumbi 2022, vanoronga kuwedzera kugona kushandisa makiyi ehardware uye biometric scanners iyo kune kutsigirwa kweWebAuthn protocol, pamwe nekukwanisa kunyoresa nekugadzirisa zvakasiyana-siyana zvekuwedzera zvehuchokwadi zvinhu.
Rangarira kuti maererano neongororo yakaitwa muna 2020, 9.27% chete yemaneja emapasuru anoshandisa mbiri-chinhu chechokwadi kuchengetedza kupinda, uye mu13.37% yezviitiko, pakunyoresa maakaundi matsva, vanogadzira vakaedza kushandisa zvakare mapassword akakanganiswa anoonekwa mumapassword anozivikanwa. .
Panguva yekuongorora simba repassword kushandiswa, 12% yeakaundi muNPM yakawanikwa (13% yemapakeji) nekuda kwekushandiswa kweanofungidzira uye asina mapassword akadai se "123456". Pakati pezvinetso paiva nemaakaundi mana emushandisi wemapakeji makumi maviri anonyanya kufarirwa, maakaundi gumi nematatu ane mapakeji akatorwa kanopfuura mamirioni makumi mashanu pamwedzi, makumi mana - anopfuura mamirioni gumi ekurodha pamwedzi uye 4 aine anopfuura miriyoni imwe yekurodha pamwedzi. Tichifunga nezvekuremerwa kwemamodule pamwe neketani yekutsamira, kukanganisa maakaundi asina kuvimbika kunogona kukanganisa kusvika ku20% yemamodule ese muNPM zvachose.
Finalmente Kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa zvinyorwa mutsamba yekutanga Mune inotevera chinongedzo.