文章摘要
文章指出,2025年微软因不作为已成为软件开发的威胁,类似2000年代的浏览器问题。NPM已成为传播恶意软件的主要途径,最初针对加密货币,现逐渐转向更关键的令牌和访问密钥,供应链攻击日益严重。
文章总结
标题:哦不,又来了……关于NPM供应链攻击的思考
主要内容:
这篇文章探讨了NPM(Node Package Manager)供应链攻击的现状及其背后的历史背景,特别是微软在这一问题中的角色。作者指出,尽管NPM在JavaScript生态系统中扮演了重要角色,但它也成为了恶意软件传播的主要渠道。近年来,NPM供应链攻击的目标已经从窃取加密货币转向了更关键的系统,如包维护者的令牌和访问密钥。
作者回顾了NPM的发展历史,指出它最初是为了解决JavaScript库管理问题而诞生的,但随着时间推移,NPM的安全问题逐渐暴露。尽管微软通过GitHub收购了NPM,并为NPM提供了资源支持,但它在提升NPM安全性方面做得远远不够。作者认为,微软在NPM安全问题上的不作为,使其成为了软件供应链中的“不良行为者”。
文章还提到,NPM的安全漏洞并非新问题,早在2016年就曾因left-pad事件引发广泛关注。然而,尽管业界对NPM的安全问题有所认识,但至今仍未采取有效措施来防止供应链攻击。作者呼吁整个行业共同努力,确保软件供应链的安全性,否则数据隐私和安全风险将继续上升。
关键点: 1. NPM已成为恶意软件传播的主要渠道,供应链攻击的目标日益严重。 2. 微软在NPM安全问题上的不作为,使其成为软件供应链中的“不良行为者”。 3. NPM的安全问题并非新问题,但至今仍未得到有效解决。 4. 作者呼吁整个行业共同努力,确保软件供应链的安全性。
结论: 文章最后强调,软件供应链的安全问题已经严重影响了软件开发的乐趣,并呼吁企业重新审视其使用的工具,确保其软件供应链的安全性,以保护客户、员工和自身利益。
评论总结
评论主要围绕NPM(Node Package Manager)的安全性和生态系统问题展开,以下是主要观点和论据的总结:
1. NPM的安全性问题
- 默认不安全:评论1指出,构建软件的工具默认不安全,且提供这些工具的公司(或开源社区)很少为产品的安全性负责。
- 引用:"The tools we use to build software are not secure by default, and almost all of the time, the companies that provide them are not held to account for the security of their products."
- 缺乏签名和审核:评论3和评论8提到,NPM缺乏依赖项的签名机制,且多年来开发者提出的安全问题(如包签名)被忽视。
- 引用:"But right now there are still no signed dependencies and nothing stopping people using AI agents, or just plain old scripts, from creating thousands of junk or namesquatting repositories."
- 引用:"Here is an issue from 2013 where developers are asking to fix the package signing issue. Gone fully ignored because doing so was 'too hard'."
2. NPM生态系统的文化问题
- 依赖过多且盲目升级:评论19指出,NPM文化倾向于盲目升级所有依赖项,这增加了供应链攻击的风险。
- 引用:"npm as designed really aggressively likes to upgrade things, and the culture is basically to always blindly upgrade all dependencies as high as possible."
- 前端工具单一化:评论20认为,前端开发过度依赖NPM,导致攻击面过大。
- 引用:"The NPM monoculture is the problem. It would be absurd to suggest that all backend engineers use the same build tooling and dependency library, but here we are with frontend."
3. 改进建议
- 引入2FA和代码签名:评论13和评论15建议,NPM应强制要求双因素认证(2FA)和代码签名,以提高安全性。
- 引用:"It seems to me like one obvious improvement is for npm to require 2fa to submit packages."
- 引用:"You mention 2FA. npm requires that for maintainers of the top 100 packages (since 2022), would you like to see that policy increased to the top 1,000/10,000/everyone?"
- 沙盒化运行:评论15提出,代码应在沙盒中运行,以减少恶意代码的影响。
- 引用:"The investment I most want to see around this topic is in sandboxing: I think it should be the default that all code runs in a robust sandbox unless there is a very convincing reason not to."
4. 现有解决方案
- 使用pnpm:评论10和评论11推荐使用pnpm,它默认禁用安装后脚本,并引入了最小发布年龄策略。
- 引用:"pnpm have already implemented a minimum age policy."
- 引用:"Switch to pnpm, it's not only faster and more space efficient, but also disables post-install scripts by default."
- 依赖审查和延迟更新:评论6和评论17建议,团队应审查依赖项并延迟更新,以减少供应链攻击的风险。
- 引用:"I think the cooldown approach would make this type of attack have practically no impact anymore."
- 引用:"My non-solution years ago was to use as little dependencies as possible. And vendor node_modules then review every line of code changed when I update dependencies."
5. 对微软的批评与辩护
- 批评微软的冷漠:评论9认为,NPM在追求控制的过程中忽视了基本的安全措施。
- 引用:"but only npm started with a desire to monetize it (well, npm and docker hub) and in its desire for control didn't implement (or allowed the community to implement) basic higiene."
- 为微软辩护:评论5指出,微软可能只是对NPM生态系统漠不关心,但不应将所有责任归咎于微软。
- 引用:"It's a stretch to pin blame on Microsoft. They're probably the reason the service is still up at all."
总结:
评论普遍认为NPM生态系统存在严重的安全问题,包括缺乏签名机制、依赖项盲目升级、以及前端工具单一化等。改进建议包括引入2FA、代码签名、沙盒化运行,以及使用pnpm等替代工具。同时,评论中对微软的角色存在争议,有人认为其冷漠,也有人为其辩护。