back to article Malicious code ousted from PureScript's npm installer – but who put it there in the first place?

Another JavaScript package in the npm registry - the installer for PureScript - has been tampered with, leading project maintainers to revise their software to purge the malicious code. After a week of reports of unexpected behavior, software developer and PureScript contributor Harry Garrood on Friday published his account of …

  1. Anonymous Coward
    Anonymous Coward

    No software can be trusted

    Open source can be maliciously modified.

    Closed source can have malicious intent built in.

    There is no such thing as trustworthy code.

    1. Anonymous Coward
      Anonymous Coward

      Re: There is no such thing as trustworthy code.

      But you put your faith in the submit button nonetheless...

      1. Teiwaz Silver badge

        Re: There is no such thing as trustworthy code.

        But you put your faith in the submit button nonetheless...

        Submit?

        The Human centipad button, more like.

        i.e once there's crap in the system, we're all fed it.

      2. Anonymous Coward
        Anonymous Coward

        Re: There is no such thing as trustworthy code.

        OK. You've convinced me, I'll never submit another comment.

        D'OH!

    2. Will Godfrey Silver badge
      Angel

      Re: No software can be trusted

      I trust the code I write myself...

      {mostly}

      1. Captain Scarlet Silver badge
        Coat

        Re: No software can be trusted

        I don't trust anything I write myself, I am human and I make a lot of mistakes.

        1. overunder Bronze badge

          .

          You clearly wouldn't trust anybody at all if they're using a "language" to "compile" to Javascript.

          PureScript ... PureShit. Scientifically, that just rhymes to well to be a coincidence.

  2. yoganmahew

    Free as in freely given...

    Never mind sorry, got the wrong end of who did what. More coffee needed.

  3. Pascal Monett Silver badge
    Thumb Down

    These developer divas egos are tiring to deal with

    So the facts are that the package was changed to break if the diva's installer was not the one used. Maybe the diva did it, maybe his account got hacked.

    I have my opinion on that, but let me just ask why someone would hack an account and modify it to break only if a different installer was used ? I'm guessing that if a hacker was intent on wreaking havoc, he'd want it to break whatever installer was used.

    Okay, I get that you pour hours and days into something and you get attached to your project, but this kind of behavior is puerile and seriously lacks of professionalism. Either you accept to transfer ownership and then get over it, or you refuse and accept the consequences.

    Accepting to relinquish control and then throwing a fit is just childish.

    1. Anonymous Coward
      Anonymous Coward

      Re: These developer divas egos are tiring to deal with

      The lack of other elements in this 'hack' makes it look very much like a 'FU'. How Watanabe can deny the clear implication is beyond me, even if he is innocent he must acknowledge how it looks objectively? Flat denial just makes it look even more dubious, after all it's his reputation on the line, you'd think he would be doing his best to identify the real source (assuming he isn't) rather than just protesting his innocence.

      1. Anonymous Coward
        Anonymous Coward

        Re: These developer divas egos are tiring to deal with

        "A hacker ate my reputation! Really!" Really?

    2. Fungus Bob Silver badge

      Re: These developer divas egos are tiring to deal with

      "I'm guessing that if a hacker was intent on wreaking havoc, he'd want it to break whatever installer was used."

      Unless said hacker wants to sit back and enjoy the show...

  4. Anonymous Coward
    Anonymous Coward

    It sounds like instead of creating their own, better installer, the Purescript people decided to compel the owner of the existing one to give up control. This sounds like a dick move, to be honest. Making the installer not work was also a dick move. Neither party comes out of this looking good, from my reading of this article.

  5. druck Silver badge
    FAIL

    No time for this security lark

    We've also asked NPM to elaborate on whether it has any investigated the incident or taken any action against Watanabe based on these allegations. No word yet.

    Aren't they too busy taking legal action against their own employees?

    https://forums.theregister.co.uk/forum/all/2019/07/02/npm_abandons_settlement_talks/

  6. juice Silver badge

    Fun with externally sourced libraries...

    1) Write open-source, cloud-hosted module which does something useful

    2) Go work for Company X. Hook their system into your module

    3) Leave the company

    4) Use your insider knowledge to update your library so that it will perform $dodgy_thing when it's ran by company X

    5) Wait for them to pull down the new version of your library

    6) Profit!

    After all, the odds that the company is going to be diligent enough to review all the third-party open-source code it pulls in is pretty minimal! Though to be fair, there's other ways to mitigate this, such as ensuring that all modules should be set to a specific version.

    Also, there's the hope that someone in the Open Source community will spot that there's something dodgy in the code.

    But for every project which has tens or hundreds of eyeballs on it, there's thousands which have a single contributer. And as we've seen numerous times, things like this are often only caught after the horse has already left the stable!

    1. vtcodger Silver badge

      Re: Fun with externally sourced libraries...

      which does something useful

      An unnecessary complication. The module just has to exist. It doesn't actually have to DO anything useful. Or anything at all actually.

  7. Munchausen's proxy
    Pint

    The question is not "how?", but "why?"

    "designed to install PureScript, a programming language that compiles to JavaScript, on the user's system using the npm command line interface. It gets used about 2,000 times a week."

    It's muppets all the way down.

    1. Anonymous Coward
      Anonymous Coward

      Re: The question is not "how?", but "why?"

      JavaScript is just too bare-metal for the kids these days.

    2. Anonymous Coward
      Anonymous Coward

      Re: The question is not "how?", but "why?"

      It may be helpful to point out that Purescript is best described as "Haskell done right". I.e. it's a very rigorous, principled language that just happens to compile down to JavaScript, which just happens to be gross. But so is x86 assembly and somehow we manage.

      Also Harry is a really great guy.

  8. Colin Miller

    repo ip log

    The repo will probably log the public ip that the commit was made from.

    It may be interesting to peruse the logs for these commits

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019