this post was submitted on 17 Sep 2023
76 points (97.5% liked)

Programming

17020 readers
268 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
76
Roblox Game Devs Duped by Malicious npm Packages (www.cyber-oracle.com)
submitted 1 year ago by abobla@lemm.ee to c/programming@programming.dev
15 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] realharo@lemm.ee 14 points 1 year ago* (last edited 1 year ago) (1 children)

Clickbait title.

The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," and they were distributed across specific version ranges

Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?

You would have to really go out of your way to get infected by stuff like this.

That being said, there are things npm could do to try to auto-detect "risky" packages (new, similar name to existing projects, few downloads, etc.) and require an additional layer of confirmation, or something like that.

[–] atheken@programming.dev 8 points 1 year ago (1 children)

Also, as far as I can tell, they’re talking about devs that are building on the Roblox platform, not devs that are building the platform.

In other words, random devs of varying skill levels getting name-squatted.

It’s not good, but including Roblox in the title is definitely misleading/clickbait.

[–] JackbyDev@programming.dev 0 points 1 year ago (1 children)

It is a library to work with Roblox, saying Roblox isn't misleading. I can agree that "Roblox devs" is misleading though.

[–] atheken@programming.dev 0 points 1 year ago* (last edited 1 year ago) (1 children)

It’s misleading because it’s irrelevant and makes it sound like a platform breach.

Try replacing Roblox with “Foozsplatz” and the implication of severity is completely different, even though the nature of what is being reported is unchanged.

[–] JackbyDev@programming.dev 1 points 1 year ago (1 children)

I'm confused, in this hypothetical is Foozsplatz a non sense word or is it meant to be a game like Roblox? If you mean the first, then yeah, obviously replacing a proper noun with gibberish changes the implication. If you mean the second then no, it would have the same implication.

[–] atheken@programming.dev -1 points 1 year ago* (last edited 1 year ago) (1 children)

It literally doesn’t matter. You can remove the word and the nature of the problem being discussed is still the same. What platform is being targeted has nothing to do with the example problem. Roblox is only mentioned to sensationalize it and get clicks.

[–] JackbyDev@programming.dev 2 points 1 year ago (1 children)

Roblox is mentioned because it literally was a library for Roblox lmao. That's not sensationalizing.

[–] atheken@programming.dev 0 points 1 year ago* (last edited 1 year ago) (1 children)

The thread you are in and my response made it clear that the headline is clickbait by including that irrelevant detail.

If they didn’t include that word in the post title, it would have no traction at all.

[–] JackbyDev@programming.dev 2 points 1 year ago

"Roblox library is target of typo squatting" is a perfectly accurate headline that uses the word Roblox and is not clickbait.