actual-malware icon indicating copy to clipboard operation
actual-malware copied to clipboard

Published 20 hours ago verified publisher icon qpwo

This is malware

Open qpwo opened this issue 2 years ago • 6 comments

this is malware

qpwo avatar Mar 14 '22 20:03 qpwo

Do you have any link, or source to check this claim?

NPM recently removed the ability for users to report compromised packages

Because it looks to me like I could, if I wanted, report the package.

icyJoseph avatar Mar 15 '22 08:03 icyJoseph

Yeah, I'm also confused; this "Report malware" button exists pretty clearly on the package page, and this doc page says that it'll go to "the npm security team" (whoever that is) image

mlugg avatar Mar 15 '22 14:03 mlugg

Do you have any link, or source to check this claim?

Last couple times I went to report a security problem I got a prompt "Are you a maintainer of this package?" and I hit no then it said go home

qpwo avatar Mar 15 '22 19:03 qpwo

Oh it looks like they took it down 🎉

qpwo avatar Mar 15 '22 19:03 qpwo

@qpwo thanks for creating this to raise awareness of the problem. I have been working on the problem of detecting outbound traffic for this exact scenario, and while detecting from a desktop is hard, this new GitHub Action does allow detecting and restricting outbound traffic from GitHub Actions workflows that run on GitHub-hosted runner.

https://github.com/step-security/harden-runner

varunsh-coder avatar Mar 19 '22 11:03 varunsh-coder

Brilliant I'll probably add a proper "tooling recommendations" section to the readme at some point and I'll add that to it

qpwo avatar Mar 19 '22 23:03 qpwo