Laburaren JavaScript, wanda aka shirya zai zama laburaren da ya shafi Twilio ta yarda a bayan gida a girka a kwamfutocin masu shirye-shirye Don baiwa maharan damar shiga wuraren aiki masu dauke da cutar, an loda shi a npm bude tushen rajistar ranar Juma'ar da ta gabata.
Abin farin, sabis na gano malware Sonatype Saki Mutunci da sauri ya gano malware, a cikin sigar uku, kuma an cire shi a ranar Litinin.
Securityungiyar tsaro ta Npm ta cire ɗakin karatu na JavaScript Litinin mai suna "twilio-npm" daga gidan yanar gizon npm saboda yana ƙunshe da lambar ɓarna da za ta iya buɗe bayan fage kan kwamfutocin masu shirye-shirye.
Kunshin da ke ƙunshe da lambar ƙeta sun zama maimaitaccen magana a cikin buɗaɗɗun tushen rajista na JavaScript.
Sonatype ne ya gano laburaren JavaScript din (da kuma mummunan halinsa) a karshen wannan makon, wanda ke lura da wuraren ajiya na jama'a a matsayin wani bangare na ayyukan ayyukan tsaro na DevSecOps.
A wani rahoto da ta fitar a ranar Litinin, Sonatype ya ce an fara buga laburaren ne a shafin yanar gizon npm a ranar Juma’a, aka gano a wannan ranar, sannan aka cire shi a ranar Litinin bayan da jami’an tsaro na npm suka saka kunshin a cikin jerin sunayen baki.
Akwai abubuwa da yawa na halal a cikin rajistar npm da suka danganci ko wakiltar sabis ɗin Twilio na hukuma.
Amma a cewar Ax Sharma, injiniyan injiniyan tsaro na Sonatype, Twilio-npm ba shi da wata alaka da kamfanin Twilio. Twilio ba shi da hannu kuma ba shi da alaƙa da wannan yunƙurin satar alama. Twilio ita ce babbar hanyar sadarwa ta hanyar girgije a matsayin sabis wanda ke bawa masu haɓaka damar ƙirƙirar aikace-aikacen VoIP waɗanda zasu iya shirya da karɓar kiran waya da saƙonnin rubutu.
Aikin hukuma na Twilio npm ya zazzage kusan rabin miliyan sau a mako, a cewar injiniyan. Babban shaharar sa ya bayyana dalilin da yasa masu wasan kwaikwayo masu barazanar zasu sami sha'awar kama masu haɓaka tare da abubuwan jabu na wannan sunan.
“Koyaya, kunshin Twilio-npm bai dau tsawon lokaci ba don yaudarar mutane da yawa. An loda a ranar Jumma'a, 30 ga Oktoba, Sontatype's Saki Mutuncin sabis ya nuna alama ga lambar kamar yadda ake shakku wata rana daga baya - hankali na wucin gadi da ilimin inji a bayyane suna da amfani. A ranar Litinin, 2 ga Nuwamba, kamfanin ya buga sakamakon bincikensa kuma aka cire lambar.
Duk da gajeren rayuwar tashar npm, an sauke laburaren sama da sau 370 kuma an saka shi ta atomatik cikin ayyukan JavaScript da aka kirkira kuma aka sarrafa ta hanyar layin umarnin npm (Node Package Manager), a cewar Sharma. . Kuma yawancin waɗannan buƙatun farko suna iya zuwa daga injunan bincike da kuma wakilai waɗanda ke nufin bin diddigin canje-canje ga rajistar npm.
Kunshin jabu shine yaudarar fayil guda kuma yana da nau'ikan iri guda 3 don saukarwa (1.0.0, 1.0.1 da 1.0.2). Dukkanin nau'ikan guda uku sun bayyana cewa an sake su a rana ɗaya, Oktoba 30. Sigar 1.0.0 ba ta cika yawa ba, a cewar Sharma. Ya kawai haɗa da ƙaramin fayil ɗin bayyana, package.json, wanda ke jan albarkatun da ke cikin wani yanki na ngrok.
ngrok halattaccen sabis ne wanda masu haɓaka ke amfani dashi yayin gwada aikace-aikacen su, musamman don buɗe haɗi zuwa aikace-aikacen uwar garken su "localhost" a bayan NAT ko ta bango. Koyaya, kamar na nau'ikan 1.0.1 da 1.0.2, wannan bayyananniyar tana da rubutun bayan-shigarwa da aka gyara don aikata mummunan aiki, a cewar Sharma.
Wannan yana buɗe ƙofa ta baya akan mashin ɗin mai amfani, yana ba maharin ikon sarrafa mashin ɗin da aka yi amfani da shi da damar aiwatar da lambar nesa (RCE). Sharma ya ce baya baya yana aiki ne kawai a kan tsarin aiki na UNIX.
Masu haɓakawa dole ne su canza ID, asirai, da maɓallan
Shawarwarin npm ya ce masu haɓakawa waɗanda wataƙila sun girka mummunan kunshin kafin a cire shi suna cikin haɗari.
"Duk wata kwamfutar da aka sanya wannan kunshin ko aiki a kanta ya kamata a dauke ta da cikakkiyar matsala," in ji tawagar tsaro ta npm a ranar Litinin, tana mai tabbatar da binciken Sonatype.