Thread 106523894

>https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

>addresses that are siphoning away crypto

>the email that scammed
>https://imgur.com/a/q8s235k

npm is a cancer on this world

>>106523894 (OP)
Drew Devault was right about the package managers.
Cargofaggots, take note.

there's transactions worth tens of thousands on just 1 wallet from a list of 200

uh oh

>is-arrayish
>severity: critical

how will webdevs cope with this?

>>106523894 (OP)
This is why you should never upgrade

>>106523894 (OP)
>is-arrayish
>used by: 30 MILLION
Fucking retards, webdevs are such retards.
The entire package is just this btw.
module.exports = function isArrayish(obj) {
if (!obj || typeof obj === 'string') {
return false;
}

return obj instanceof Array || Array.isArray(obj) ||
(obj.length >= 0 && (obj.splice instanceof Function ||
(Object.getOwnPropertyDescriptor(obj, (obj.length - 1)) && obj.constructor.name !== 'String')));
};

btw JS is such a horrible language ...

>>106524589
C++ would do the same.

>npmjs.help
What a retard

but is isEven compromised???

when will freetards learn?
just use windows, problem solved!

>>106523894 (OP)
why the fuck would anyone ever trust/click a link in an email? are these people 70yo or something??

>>106523894 (OP)
yeah nice, fuck packages, fuck npm, I was right since the beginning

I almost shat myself reading this in the GitHub advisory
>Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Thankfully it doesn't affect developer machines.
Fucking retarded. Shit like this dissuades me from touching webjeet ever again.

>>106525294
Apparently 2Fa makes you do it. I never enable 2FA so I wouldn't know.

>>106525694
This is true and standard practice for any malware that got access to a system.

>>106523926
Kill yourself, Drew

>>106524654
C++ doesn't have package managers

>>106525724
Not Drew, but it is fairly obvious that the guy knows what he is talking about ...

>>106525744
I mean code-wise. Also they would just put it into boost.
>language specific package managers
Fucking retarded.

This wouldn't be a problem if they had signed packages like Maven central. But no, mention package signing and they all recite their favorite 12 year old blog post verbatim.
https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/
These people are idiots. They're like children playing with loaded guns.

I don't touch webshit, what are these packages for?

>>106525755
boost is not ran by one person so it would be impossible.
Node has literal thousands of sub 100 LoC packages with >10M downloads that are owned by one person. That is what makes it so vulnerable.

>>106525753
Please refer to >>106525724

>>106524432
the moral of the story here is don't keep your wallets on your computer? don't use them with a bleeding edge setup?

fucking webjeet niggers i swear to god

>>106524589
Reminder that the majority of the websites you use, including this piece of shit, is filled with libraries like this.

Module support, import and similar was the worst thing to happen to JS, to ECMA at large.
It allowed garbage-tier "developers" in to webdev.
Librarymonkeys need shot.
Now we have an even worse plague - fucking vibecodemonkeys.

>>106525853
>trying to gatekeep nigger jeet webdev
lmao sit down you dont get to look down on anyone you subhuman

>>106523894 (OP)
So did it work? anyone got their crypto transactions altered?
also i would have fallen for it ngl

>>106525694
Based. Developer chads win again. Thank god the mere act of coooooding means I'm safe from malware

>>106525694
>he doesnt know

>>106525786
revolutionary things that before AI were impossible for mere mortals to code by themselves like "checking if a number is even or odd"

before you think i'm being hyperbolic and fucking with you,
https://www.npmjs.com/package/is-even

>>106524589
ironically LLMslop solves this since it will write its own functions for all this shit and loves to reinvent the wheel

>>106525924
yeah, one of the 200 wallets had tens of thousands of vbux siphoned through it when i last checked>>106524078

>>106525980
>code tabs allows you to see the code
>it's marked as beta
Why?
>it requires javascript to be enabled to show the code
To run malware in my browser?

https://www.npmjs.com/package/is-odd?activeTab=code
>checking whether a number is odd can throw an exception
God I'm so glad to be a cnile.

>>106525980
what does this return if you run it on things like 2.5, pi, i, etc

>>106526029
idk but im pretty sure mathematically speaking those numbers are not even and therefore can only be odd

>>106526029
Exception. Just of the type "Exception", which means nobody considered that you might want to catch this error.

>>106526029
nm i checked
i guess that's valid since it's not defined for non integers
i wonder if there's a concept of odd or even infinities
>>106526057
pretty sure that's not how it works at all, they are neither even nor odd

>>106526058
>"Exception"
Actually "Error", but the argument doesn't change.

>>106526058
what type of exception should you even return? NotAnInteger?

>>106526060
>odd infinities
>even infinities

there's all kinds of infinities retard, uneducated fuck, wanna feel alive again? some infinities are bigger than others... WOOOOW HOLYT SHIT did i break you stupid small ape brain?

>>106526029
if (!Number.isInteger(n)) {
throw new Error('expected an integer');


reminder that these are the people who parrot LEARN TO CODE and bemoan jeets taking their jobs and that your job is a Bullshit Job if it's not coooooding

>>106526029
In a normal language, a compile error happens before you even try to run it
>>106525785
“It’s not a 100% bulletproof solution so therefore we shouldn’t try it at all” has got to be one of the dumbest arguments I’ve ever heard and it’s insane how much it’s used. On the other hand, these are the people who are solely responsible for 99.99999% of web-based security holes by the mere existence of automatically executing arbitrary user-provided programs as a concept anyone accepts as reasonable so they’re probably not the ones anybody should be asking

>>106526167
>In a normal language, a compile error happens before you even try to run it
have you ever heard of input? you can't catch it at compile time lol

>>106523926
Your skull deserves to be smashed in, Drew.
You accomplished nothing in your life and your death would be for the better.

>>106525785
>signed packages
Certificate bullshit has never fixed anything. Kill yourself.

>>106523926
>Drew Devault was right about the package managers.
link to post?

>>106526210
I have. Have you heard of making sure a function that only makes sense to run on integers only accepts integers and if you want floats (eg from user input) you have to cast them to integers separately? It’s called strong typing and it’s fucking amazing

>>106523926
Sorry Drew, but GingerBill just released and article shitting on package managers, and unlike you, he's not a huge narcissistic pedophile faggot.

>>106526250
https://harelang.org/documentation/faq.html
>Moreover, Hare is culturally distinct from Rust, for example we have no package manager and encourage less code reuse as a shared value

>>106526352
Link?

>>106523894 (OP)
no, phishing is.
it's clear we need a password alternative like, yesterday that would prevent this, but passkeys are judaic. why is this such a hard field to solve? ssh can do TOFU to validate sites and also has a working pubkey infra.

>>106526352
Odin nigger is also a midwit so who cares what he just released.

>>106526371
im not enrolling in an entire chain of trust certificate program just to download a package that tells me whether a number is divisible by 2 (and throws an exception when it is given an integer instead of a string)

>>106526392
Whatever Drew

>>106526371
>ssh can do TOFU to validate sites
now the same sentence but without gay acronyms

>cryptofaggots' shit is powered by literally fucking unironically JAVASCRIPT
I always knew this shit was nothing but a fucking ponzi scheme

>>106526421
Good. It should be difficult to install packages so you’re encouraged to only install the ones you *actually* need and only update it when you need new features or fixing CVEs

>>106526737
but how else can i possibly know if a number is 2?

Wrong. Nothing ever happens

>>106527088
But Chuddha what if-

>2 billion downloads per week
yikes what do these jeets do, never ever cache packages?

>>106527182
even when webshitters fail they win by failing to fail. death to webshitters are dead, long live webshitters.

>>106526058
Maybe you can install the npm package what-exception-kind to know more.

>>106527182
kek

>>106523926
Based Drew! I have a loli for (you)!

>>106523894 (OP)
>using anything BUT Monero
>not prioritizing precious metals, freeze dried foods, and bullets first
LOL, Lmao even. These niggas are gona die in the boog.

remember when crypto bros wanted all goverment services to use blockchain tech?

>>106529058
always found their ideas funny. like actually laughing funny. thinking they gonna take power away from bankers, just like that. it was like hearing kids thinking out loud

>>106525696
2fa typically sends you a numerical code you enter. Or you use an authenticator app.

Bro didn't even look at the hyperlink or check the certificate of the page he's on. Not sure what to say about that since he's supposed to be a Web dev. Id expect that to be 2nd nature.

>>106527182
what a terrible website. why is the width of the content set to the width of the screen. i shouldn't have to physically move my head to read this shit

>>106523926
Drew a flip, faggot

>>106529411
Probably mobile optimized.

>>106523894 (OP)
>@bad at computer
>is bad at computer

>>106527182
>>106527727
I kinda wish he was able to steal a lot more, like millions of €, so that tge npm faggots would maybe learn a lesson
>is-arrayish