Umtapo wezincwadi weJavaScript, ohlose ukuba ube umtapo wolwazi ohlobene ne- UTwilio wavumela ukuthi kungeniswe amakhompyutha angemuva kumakhompyutha ohlelo Ukuvumela abahlaseli ukuthi bangene ezindaweni zokusebenza ezinegciwane, ilayishwe kwirejista yemithombo evulekile npm ngoLwesihlanu olwedlule.
Ngenhlanhla isevisi yokuthola i-malware I-Sonatype Release Integrity ithole ngokushesha i-malware, ngezinhlobo ezintathu, futhi walisusa ngoMsombuluko.
Ithimba lezokuphepha npm lisuse umtapo wolwazi weJavaScript ngoMsombuluko ibizwa nge- "twilio-npm" kusuka kuwebhusayithi ka-npm ngoba ibiqukethe ikhodi enonya engavula izindlu zangasese kumakhompyutha wabahleli.
Amaphakheji aqukethe ikhodi enonya abe yisihloko esiphindaphindwayo kumthombo ovulekile wokubhalisa ikhodi yeJavaScript.
Umtapo wezincwadi weJavaScript (kanye nokuziphatha kwayo okunonya) kutholakale kule mpelasonto ngabakwaSonatype, abaqapha izinqolobane zomphakathi njengengxenye yemisebenzi yayo yezokuphepha yeDevSecOps.
Embikweni okhishwe ngoMsombuluko, uSonatype uthe umtapo wezincwadi uqale ukufakwa kuwebhusayithi ka-npm ngoLwesihlanu, watholakala ngalo lolo suku, wasuswa ngoMsombuluko ngemuva kokuthi ithimba lezokuphepha le-npm lifake iphakethe ku ukuvinjelwa.
Kunamaphakeji amaningi asemthethweni kwirejista yango-npm ehlobene noma emele insizakalo yeTwilio esemthethweni.
Kodwa ngokusho kuka-Ax Sharma, ongunjiniyela wezokuphepha kuSonatype, u-twilio-npm akahlanganise lutho nenkampani iTwilio. UTwilio akabandakanyeki futhi akahlanganise lutho nalokhu kuzama ukweba umkhiqizo. I-Twilio iyinhlangano yezokuxhumana ehamba phambili esuselwa emafini njengensizakalo enika amandla onjiniyela ukuthi bakwazi ukudala izinhlelo zokusebenza ezenzelwe i-VoIP ezingenza ngokuhlelekile zenze futhi zamukele izingcingo nemiyalezo ebhaliwe.
Iphakethe elisemthethweni le- UTwilio npm ulanda cishe isigamu sesigidi ngesonto, ngokusho konjiniyela. Ukuthandwa kwayo okuphezulu kuchaza ukuthi kungani abalingisi abasongelayo bangahle babe nentshisekelo yokubamba onjiniyela abanezinto zomgunyathi zegama elifanayo.
“Kodwa-ke, iphakethe likaTwilio-npm alizange lime isikhathi eside ngokwanele ukukhohlisa abantu abaningi. Kulayishwe ngoLwesihlanu, ngo-Okthoba 30, insizakalo kaSontatype's Release Integrity kubonakala sengathi ikhombise ukuthi iyasolisa ngosuku olulandelayo - ubuhlakani bokufakelwa nokufunda ngomshini kusobala ukuthi kusetshenzisiwe. NgoMsombuluko, Novemba 2, inkampani ishicilele okutholakele futhi ikhodi yahoxiswa.
Yize isikhathi esifushane sokusebenza kwembobo ka-npm, umtapo wolwazi ulandiwe izikhathi ezingaphezu kwama-370 futhi ufakwe ngokuzenzakalela kumaphrojekthi weJavaScript enziwe futhi aphathwa ngosizo lwe-npm command-line utility (Node Package Manager), ngokusho kukaSharma. . Futhi eziningi zalezo zicelo zokuqala kungenzeka ukuthi zivela ezinjinini zokuskena nama-proxies ahlose ukulandela izinguquko kwirejista yango-npm.
Iphakheji yomgunyathi iyi-malware yefayela elilodwa futhi inezinguqulo ezi-3 ezitholakalayo ukulanda (1.0.0, 1.0.1 no-1.0.2). Zonke izinguqulo ezintathu zibonakala zikhishwe ngosuku olufanayo, ngo-Okthoba 30. Inguqulo 1.0.0 ayifezi okuningi, ngokusho kukaSharma. Ifaka kuphela ifayili elincane le-expression, package.json, ekhipha insiza etholakala kusizinda esingezansi se-ngrok.
i-ngrok iyisevisi esemthethweni esetshenziswa abathuthukisi lapho behlola uhlelo lwabo lokusebenza, ikakhulukazi ukuvula ukuxhumana nezinhlelo zabo zeseva ze- "localhost" ngemuva kwe-NAT noma i-firewall. Kodwa-ke, ngokwezinguqulo 1.0.1 no-1.0.2, i-manifest efanayo inombhalo wayo wokufaka ngemuva kokulungiswa ukwenza umsebenzi oyingozi, ngokusho kukaSharma.
Lokhu kuvula ngempumelelo umnyango wangemuva emshinini womsebenzisi, kunikeze isilawuli isilawuli somshini osengozini kanye nekhono lokusebenzisa ikhodi ekude (RCE). USharma uthe umhumushi we-reverse command usebenza kuphela kumasistimu wokusebenza asuselwa ku-UNIX.
Onjiniyela kumele bashintshe ama-ID, izimfihlo nokhiye
Iseluleko sango-npm sithi onjiniyela okungenzeka ukuthi bafaka iphakethe eliyingozi ngaphambi kokuba lisuswe basengozini.
"Noma iyiphi ikhompuyutha efakwe noma esebenza kuyo le mpahla kumele icutshungulwe ngokuphelele," kusho ithimba lezokuphepha npm ngoMsombuluko, liqinisekisa uphenyo lukaSonatype.