Hello, welcome to the Monday, May 7, 2018 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Indianapolis, Indiana.

In the past, we had a couple of incidents where NPM, the Note Package Manager, didn't really look all that great,

where it was possible, for example,

to inject malicious code or verse take over existing libraries.

But that appears to be changing someone at least last week.

The NPM security team was able to remove a malicious library before it was actually included in any

additional projects. One of the dangers of NPM, and that's actually common to most of these

package management systems, is that once you have a malicious library and that's now being

included as a dependency in other

well-known libraries, that malicious code can pretty easily spread. So it's really important

for the NPM security team to discover and eliminate malicious libraries quickly. The latest

example are two packages that claimed to parse cookies. Now,

just like in earlier cases, community members, so users of NPM actually discovered the issue,

and this package was already included in a fairly popular mail parser package. So the initial malicious

package here was get cookies, but then two other packages, express cookies and HDP fetch cookies

depended on it. And then a third package, a mail parser, and that's actually the big one here.

It's a quite popular package.

Did include HTTP fetch cookies, so anybody installing MailParser also installed the backdoor that was delivered via Get Cookies.

Now, overall, of course, this is how sort of open source is supposed to work

that users are actually reviewing the code and then flagging either malicious or insecure code.

It would, however, be quite nice, in my opinion, to have more proactive scanning,

...