search

TeselaGen / openVectorEditor

DEPRECATED - Teselagen's Open Source Vector/Plasmid Editor Component
https://teselagen.github.io/tg-oss/ove/#/Editor
MIT License
199 stars 71 forks source link

Compromised npm packages of ua-parser-js #783

Open flange-ipb opened 3 years ago

flange-ipb commented 3 years ago

Hi @tnrich! I just read news about a security issue in ua-parser-js, which seems also to be in the build pipeline of OVE (see yarn.lock). You can find information about it here. Could you please check the OVE artifacts?

Thanks, Frank

flange-ipb commented 3 years ago

In the discussion over at ua-parser-js you can read that the malicious packages were delivered by NPM for about 4 hours. The package installs some mining software and a password stealer via a preinstall script when running npm install (without --ignore-scripts), so everyone who was doing active development with OVE should check their computers ...

tnrich commented 3 years ago

Hi @flange-ipb thank you for the update. It appears that we might be in the clear with this particular package scam but that is indeed scary.

tnrich@thomass-mbp openVectorEditor % yarn why ua-parser-js
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "ua-parser-js"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "ua-parser-js@0.7.21"
info Reasons this module exists
   - "nwb#karma" depends on it
   - Hoisted from "nwb#karma#ua-parser-js"
info Disk size without dependencies: "268KB"
info Disk size with unique dependencies: "268KB"
info Disk size with transitive dependencies: "268KB"
info Number of shared dependencies: 0
=> Found "fbjs#ua-parser-js@0.7.19"
info This module exists because "react-addons-perf#fbjs" depends on it.
info Disk size without dependencies: "264KB"
info Disk size with unique dependencies: "264KB"
info Disk size with transitive dependencies: "264KB"
info Number of shared dependencies: 0
✨  Done in 1.41s.

According to the linked issue, and comparing with the above yarn why call, it looks like we avoided the infected range. Still maybe a good idea for people to check their own computers? Any other suggestions of what should be done next @flange-ipb ?

Thanks for the heads up, Thomas

flange-ipb commented 3 years ago

Hi @tnrich, thanks for checking. These delivery chain attacks are very nasty and npm supports it by running scripts without asking. Fixing the versions of your dependencies might be an option, but this might collide with your CI/CD strategy. Not sure if this also applies for dependencies of dependencies etc. We as developers also have responsibilities that malicious code doesn't end up in software repositories: