
Obtaining publish access to 13% of npm packages - Artemis2
https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md
======
haburka
I think this is a good example of something that's relatively unlikely to be
an issue, even though it sounds scary. Sure someone could potentially inject
code into a npm package that would allow them to snoop on anyone who used the
package, but it would most likely be discovered very quickly. To hack
developers of popular packages is similar to trying to beat up the karate dojo
when there's a bank right across the street.

Plus we all know that corporations rarely update their dependencies so
therefore, anything you wrote to snoop would be caught before they updated.
You'd most likely just get bleeding edge developer's information, which might
net you access to Netflix?

~~~
MaulingMonkey
Devs might be better than average at discovering and counteracting pwnage, but
they're also much higher value targets. They often _are_ the Bank.

As a criminal, what credentials do you want - some teen's facebook login? or
some dev's admin credentials which you can use to compromise entire databases?
What about software signing keys for your malware? Access to someone's
software update distribution channels?

Some companies strictly separate devs from these things, but not all of them
by a long shot - and even when they are, admins aren't going to necessarily be
code auditing every single release. One slip is all it takes.

Debian builds has been breached. Sourceforge has been breached. _Un_ hacked
package managers and credentials already make me nervous. Up your paranoia,
and have enough self esteem as to realize you're worth targeting - and know
that all the Karate in the world won't protect you from being shot in the back
from behind. They won't stake out the Dojo either - it'll be your home or
favorite bar.

