Node Developers can harvest your passwords and credit card numbers

[Ghost]

www.hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

I know one of my flaws is using NPM packages like candy.

Bare in mind this could also be used for black hat seo not just grabbing form data!

 

[Samwise89]

You guys have to start telling us what's behind these mystery links. It needs to be a new forum rule. If the OP doesn't explain what it is they're sharing, it should be deleted IMO.

For everyone else, it's this:

"I’m harvesting credit card numbers and passwords from your site. Here’s how."

This guy wrote some code to capture whatever is being inputted into a form, either on a blur event or the form submit, and had it sent off to his own server.

The question was how he could get that on enough servers. The answer was to write a tiny piece of code that let Javascript console.log() alerts be color coded. Then he started fixing small bugs or any other issue on other NPM packages and also added this "enhancement" to it, and enough developers merged the request into their public packages that he's now pushing out 120,000 downloads a day of his malware.

And then he bragged about it on Medium. He has 23 packages pulling from his repository with 6 more working on it. He has 120k downloads a day, is executing on thousands of websites including a handful of Top 1000 Alexa sites.

Then at the end he says "Surprise, this post is entirely fictional but possible." Who knows.

 

[Joe]

Nice exploit; here's an arrest warrant.

 

[Ryuzaki]

I still don't understand why people think raising awareness of exploits is the way to solve them. In this case, sure, you need to make sure the guys building NPM packages know to watch out for this.

But most of them aren't the ones reading this kind of news. It's the bad guys. So what you've effectively done is train the bad guys how to trick all of the naive "everything is rainbows and cupcakes open source free for all transparency" guys who aren't necessarily in it to be effective but to build a reputation.

Same goes for plugin developers for CMS's that push an update to patch an exploit and announce exactly what it was and how you do it in the update notes. You've just told everyone, good guys and bad guys, at the exact same time where the vulnerability is. Who do you think is faster, the bad guys scanning a bazillion sites per hour for the exploit, or the webmasters casually checking their plugin updates once a month?