Hilarious idea brought down by the AI slop thumbnail. The vulneráéilíties on that screen sure look OOTΓKAL.
Interestingly, developers in ecosystems like Go, Rust, and those utilizing native Web APIs—where robust standard libraries drastically reduce reliance on third-party code and strict cryptographic verification is built into the core toolchain
Does NPM really not do cryptographic verification or is this part of the joke? I always assumed the attacks were due to a compromised key or something, but this is implying you can just push whatever you want to an NPM package if you have the author’s login?
Rust
Rust is doing pretty poorly right now.
among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.
https://kerkour.com/rust-supply-chain-nightmare
Unlike javascript, where at least it is an interpreted language people can audit, you would have to reverse engineer these binaries to figure out what they do.
push whatever you want to an NPM package if you have the author’s login
This is how all language package managers work, unfortunately. The login’s security can be improved, via things like 2fa, but it’s currently very bad. Having multiple parties use keys to sign packages after reviewing all changes, is a thing unique to distro package managers, and it is why Linux distros are extremely resilient against supply chain attacks.
Cargo distributes libraries as sources, not precompiled objects.
The recent attack didn’t have to do with cryptographic signatures. It was a supply chain worm, with GitHub Actions being the vector. https://snyk.io/blog/tanstack-npm-packages-compromised/
