> The "instead of" depends very much on the exploit and where it's wedged in the code. I doubt it's anywhere near 99%. Plus, getting the exploit to execute on the developer's machine is difficult to manage even in the best cases.
We don't need to guess, it's going to be wedged in index.js, probably on line 1.
Are you aware that all transitive dependencies are executed immediately? You depend on PackageA which imports PackageB, which imports PackageC, which imports a trojanized PackageD. As soon as PackageD is imported, it executes its payload and infects your machine.
All of this happens in a blink of an eye, as soon as you run anything that kicks off an import chain containing a trojanized dependency.
Try it for yourself. This will simulate a malicious transitive dependency: koa > cookies > keygrip > tsscmp. You don't need to do anything except import koa.
mkdir demo && cd demo
npm install --save koa@3.2.0
echo 'import "koa";' > demo.mjs
echo 'console.log("\n\n--- pwned by a transitive dependency ---")' >> node_modules/tsscmp/lib/index.js
node demo.mjs
> Saying "well there are stupid people in the world" seems like a pretty bad justification to leave a hole open
Then you're calling much of the HN audience stupid. I've had this argument on here several times - and this is the top percentile of people who try to do something at all.
The justification for leaving this hole open is that it's a waste of time, resources, and mindshare patching a hole when there's a comparable and unpatchable hole right next to it. Advocate for things that actually work, like sandboxes.
We don't need to guess, it's going to be wedged in index.js, probably on line 1.
Are you aware that all transitive dependencies are executed immediately? You depend on PackageA which imports PackageB, which imports PackageC, which imports a trojanized PackageD. As soon as PackageD is imported, it executes its payload and infects your machine.
All of this happens in a blink of an eye, as soon as you run anything that kicks off an import chain containing a trojanized dependency.
Try it for yourself. This will simulate a malicious transitive dependency: koa > cookies > keygrip > tsscmp. You don't need to do anything except import koa.
> Saying "well there are stupid people in the world" seems like a pretty bad justification to leave a hole openThen you're calling much of the HN audience stupid. I've had this argument on here several times - and this is the top percentile of people who try to do something at all.
The justification for leaving this hole open is that it's a waste of time, resources, and mindshare patching a hole when there's a comparable and unpatchable hole right next to it. Advocate for things that actually work, like sandboxes.