search

qpwo / actual-malware

Just npm install
https://web.archive.org/web/20220313030402/https://www.npmjs.com/package/actual-malware
220 stars 9 forks source link

This is malware #1

Open qpwo opened 2 years ago

qpwo commented 2 years ago

this is malware

icyJoseph commented 2 years ago

Do you have any link, or source to check this claim?

NPM recently removed the ability for users to report compromised packages

Because it looks to me like I could, if I wanted, report the package.

mlugg commented 2 years ago

Yeah, I'm also confused; this "Report malware" button exists pretty clearly on the package page, and this doc page says that it'll go to "the npm security team" (whoever that is) image

qpwo commented 2 years ago

Do you have any link, or source to check this claim?

Last couple times I went to report a security problem I got a prompt "Are you a maintainer of this package?" and I hit no then it said go home

qpwo commented 2 years ago

Oh it looks like they took it down 🎉

varunsh-coder commented 2 years ago

@qpwo thanks for creating this to raise awareness of the problem. I have been working on the problem of detecting outbound traffic for this exact scenario, and while detecting from a desktop is hard, this new GitHub Action does allow detecting and restricting outbound traffic from GitHub Actions workflows that run on GitHub-hosted runner.

https://github.com/step-security/harden-runner

qpwo commented 2 years ago

Brilliant I'll probably add a proper "tooling recommendations" section to the readme at some point and I'll add that to it