1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.
2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.
Download source. Extract. Move files to correct node_modules folder.
If your distribution requires more than this, then it's not really a module, or combines too many non-modular components, and should be distributed differently.
The ability for npm to run scripts on any level should be removed.
Then we can go back to worrying about namespacing issues.
If an attacker can infect the post-install script of an npm package, they can also infect the package source code itself. So if you ever run the project outside the sandbox, you will still get compromised.
It's like saying "I don't trust a software app with an installer, I just want a .zip with the binaries from the same source that I will run myself"
> they can also infect the package source code itself
Which is where the concept of "safe levels" come in. I should be able to install this module in such a way where file operations and process operations are not available to it. That being said, presumably, this types of infiltration would seem to be _much_ easier to spot. "Why is this web framework calling 'spawn'?"
> I just want a .zip with the binaries
I want a .zip with the _code_. Just the code. None of the packaging nonsense. My distribution can handle that.
do you really think you will see a clear "spawn" call? there is a long history of obfuscating what the code does to hide backdoors, in quite ingenious ways
> I should be able to install this module in such a way where file operations and process operations are not available to i
technically browser sandboxes, WASM, do this. but then you are very limited since you can only sandbox the whole app, and not one module, so if you need local file access, you need to open it up to the whole app and all it's modules
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.
So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.
Even for single page website built using Vue, I would get about 5 updates a week.
So. Dependabot (and renovate) do have "cooldowns" supported, just need to set them up.
For dependabot it's as simple as
cooldown.default-days: 1
There are security researchers (that don't have cooldowns) that usually detect compromises within hours or less, and package managers almost always manage to remove the offending versions in less than 24 hours (usually much less).
So people will 24 hours cooldowns get protected.
Shameless plug: I maintain depsguard.com that tries to simplify cooldowns setup across anything that supports it, in one command (it scans from where you run it, e.g. if you run it from your user folder it will look for any local repos with dependabot / renovate and suggest a change.
It’s plausible. It’s certainly the case that we (meaning security practitioners) spent years trying to move people onto faster and more automated update cycles, and these kinds of compromises have revealed a latent weakness that comes wit doing so.
The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]
Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.
Well, that's not how the world works.
Fake stars can propel a good project to great.
A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.
I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?
Copy the same way people can star projects to the new platform too, but maybe allow people to buy them directly from you to cut out the middleman. It could be very efficient.
Those were real companies.
The conversation started online and immediately moved in-person.
I was never asked to install anything.
I was not even given code access (without NDA) and I did get paid with equity/money in cases there was a mutual match and we proceeded.
Oh god, thanks for the heads up. It's a wonder how many people fell for it, definitely non-zero I reckon. I would hate for this to become a thing on LinkedIn.
Always run third-party code (especially npm packages) inside a sandbox, take your pick: ai-jail, bubblewrap, seatbelt, or amazing-sandbox (the last one, I wrote for myself after trying all others).
Bubblewrap doesn't help with protecting DBus bus (and you can do a lot with unrestricted access to DBus), accessing the GPU, Wayland and audio daemon. It cannot protect /proc and /sys filesystems. So it works only for simplest CLI programs.
As I remember, some Node.js utility (maybe npm) had a bug where it hang if there were no /proc filesystem because it couldn't figure out how many CPUs are available. Telegram crashes because of Apple's Grand Central Dispatch library if run in a sandbox without /proc. That's how bad things are.
Also, Chrome and Electron apps use SUID binaries to build their own sandbox. How would you sandbox an Electron app (obviously running an untrusted SUID binary is not an option)?
This seems to have similar or less features than bubblewrap, but requires Docker which loads huge images and wastes disk space. No Wayland, DBus, Pipewire, proc, sys filtering. Furthermore, Docker docs explicitly says that it cannot be used for security sandboxing. Also, Docker is a huge binary, run as root, with lot of APIs and wide attack surface.
> Also, Docker is a huge binary, run as root, with lot of APIs and wide attack surface.
You can run it without root.
And that's what you should do.
> No Wayland, DBus, Pipewire, proc, sys filtering.
Yeah, I don't need Wayland for CLI tools.
For others, you get them inside Docker, isolated from the rest of the system.
When I run `npm install`, I want isolation.
Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
reply