I-NPM iyaqhubeka neengxaki zokhuseleko kwaye ngoku enye ichaphazele inkqubo yohlaziyo

Darkcrizt

Imizuzu ye4

Kwiintsuku ezithile ezidlulileyo I-GitHub iveze izehlo ezibini kwi-NPM package repository infrastructure, apho ichaza ukuba nge-2 kaNovemba, abaphandi bokhuseleko lomntu wesithathu njengenxalenye yenkqubo ye-Bug Bounty bafumana ubuthathaka kwindawo yokugcina ye-NPM. evumela ukupapasha uguqulelo olutsha lwalo naliphi na ipakethe usebenzisa nangona ingagunyaziswanga ukwenza uhlaziyo olunjalo.

Ukuba sesichengeni kubangelwe kukukhangelwa kogunyaziso olungachanekanga kwikhowudi yee-microservices ukuba inkqubo icela kwi-NPM. Inkonzo yogunyaziso yenze uvavanyo lwemvume kwiipakethe ngokusekelwe kwidatha egqithisiweyo kwisicelo, kodwa enye inkonzo eyayifakela ukuhlaziywa kwindawo yokugcina imisela iphakheji yokupapasha ngokusekelwe kumxholo wemethadatha kwiphakheji elayishiwe.

Ke, umhlaseli unokucela ukupapashwa kohlaziyo lwepakethe yakhe, anokufikelela kuyo, kodwa abonise kwiphakheji ngokwayo ulwazi malunga nenye ipakethe, eya kuthi ekugqibeleni ihlaziywe.

Kwiinyanga ezimbalwa ezidlulileyo, iqela le-npm lityale imali kwiziseko ezingundoqo kunye nokuphuculwa kokhuseleko ukwenza ngokuzenzekelayo ukubeka iliso kunye nohlalutyo lweenguqulelo zephakheji ezisanda kukhutshwa ukuchonga i-malware kunye nenye ikhowudi enobungozi ngexesha langempela.

Kukho iindidi ezimbini eziphambili zeziganeko zokuthumela i-malware ezenzeka kwi-ecosystem ye-npm: i-malware eposwe ngenxa yokuqweqwediswa kweakhawunti, kunye ne-malware abathi abahlaseli bayithumele ngeeakhawunti zabo. Nangona ukufunyanwa kweakhawunti enempembelelo ephezulu kunqabile, xa kuthelekiswa ne-malware ngqo ethunyelwe ngabahlaseli abasebenzisa iiakhawunti zabo, ukufunyanwa kweakhawunti kunokufikelela kude xa kujongwe kubagcini bephakheji abadumileyo. Ngelixa ukufumanisa kwethu kunye nexesha lokuphendula ekufumaneni ipakethe edumileyo beliphantsi njengemizuzu eli-10 kwiziganeko zamva nje, siyaqhubeka nokuphuhlisa amandla ethu okubona i-malware kunye nezicwangciso zokwazisa malunga nemodeli yokuphendula esebenzayo.

Ingxaki yalungiswa iiyure ezi-6 emva kokuba ubuthathaka buxeliwe, kodwa ubuthathaka bebukho kwi-NPM ixesha elide. kunokuba yintoni i-telemetry logs egubungelayo. I-GitHub ithi khange kubekho ziphumo zohlaselo kusetyenziswa obu buthathaka ukusukela ngoSeptemba 2020, kodwa akukho siqinisekiso sokuba le ngxaki ayizange isetyenziswe ngaphambili.

Isiganeko sesibini senzeke ngomhla wamashumi amabini anesithandathu kweyeDwarha. Ngexesha lomsebenzi wobugcisa kunye nedatha yenkonzo ye-replicant.npmjs.com, kwafunyaniswa ukuba kukho idatha eyimfihlo kwiziko ledatha elifumanekayo ukwenzela ukubonisana nangaphandle, ukutyhila ulwazi malunga namagama eepakethe zangaphakathi ezikhankanywe kwi-changelog.

Ulwazi ngaloo magama ingasetyenziselwa ukwenza uhlaselo lokuxhomekeka kwiiprojekthi zangaphakathi (NgoFebruwari, olo hlaselo luvumele ikhowudi ukuba isebenze kwiiseva zePayPal, iMicrosoft, iApple, iNetflix, i-Uber, kunye nezinye iinkampani ezingama-30.)

Kwakhona, ngokunxulumene nokwanda kwezehlo zokuhluthwa koovimba beeprojekthi ezinkulu kunye nokukhuthaza ikhowudi ekhohlakeleyo ngokuthobela iiakhawunti zomphuhlisi, I-GitHub yagqiba ekubeni yazise ukuqinisekiswa kwezinto ezimbini ezinyanzelekileyo. Utshintsho luya kusebenza kwikota yokuqala ye-2022 kwaye luya kusebenza kubagcini kunye nabalawuli beepakethe ezifakwe kuluhlu lwezona zidumileyo. Ukongeza, ulwazi lunikiwe malunga nokuphuculwa kweziseko zophuhliso, apho ukubekwa esweni okuzenzekelayo kunye nohlalutyo lweenguqulelo ezintsha zephakheji ziya kwaziswa ukuze kubonwe kwangethuba utshintsho olubi.

Khumbula ukuba ngokophononongo olwenziwe ngo-2020, kuphela yi-9.27% ​​yabaphathi bepakethe abasebenzisa ukuqinisekiswa kwezinto ezimbini ukukhusela ukufikelela, kwaye kwi-13.37% yamatyala, xa kubhaliswa iiakhawunti ezintsha, abaphuhlisi bazama ukuphinda basebenzise iipassword ezilahlekileyo ezivela kwiipassword ezaziwayo. .

Ngethuba lokutshekishwa kwamandla ee-passwords ezisetyenzisiweyo, i-12% yee-akhawunti ezikwi-NPM (13% yeepasela) zafikelelwa ngenxa yokusetyenziswa kwee-passwords ezinokuxelwa kwangaphambili nezingenamsebenzi ezifana no-"123456". Phakathi kweengxaki kwakukho i-akhawunti yomsebenzisi we-4 yeepakethe ezithandwa kakhulu ze-20, ii-akhawunti ze-13 iipakethi zazo zikhutshelwe ngaphezu kwe-50 yezigidi zenyanga ngenyanga, i-40 - ngaphezu kwe-10 yezigidi ezikhutshelweyo ngenyanga kunye ne-282 ngokukhuphela okungaphezulu kwe-1 yezigidi ngenyanga. Ukuqwalasela umthwalo wemodyuli ecaleni kwekhonkco lokuxhomekeka, ukubeka esichengeni iiakhawunti ezingathenjwayo kunokuchaphazela ukuya kuthi ga kwi-52% yazo zonke iimodyuli ze-NPM zizonke.

Ekugqibeleni, ukuba unomdla wokwazi okungakumbi ngayo ungajonga iinkcukacha Kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.