IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [package-manager]

A package manager is a tool that automates the installation, updating and removal of software.

47 questions
33
votes
1 answer

Has malware ever been found in a package from a large Linux distribution and what is done to prevent this from occurring?

I am wondering exactly how safe are the Arch, Ubuntu, Mint and Manjaro repositories. What testing is done to ensure that a trusted user does not place a virus in a package, and how often?
user
  • 817
  • 10
  • 16
16
votes
2 answers

What are the security implications of homebrew and macports?

macports binaries are useable from /opt/local/bin/, i.e. for tesseract bin$ which tesseract /opt/local/bin/tesseract bin$ ls /opt/local/bin/tesseract -rwxr-xr-x 1 root admin 28120 15 Sep 2016 /opt/local/bin/tesseract bin$ ls /opt/local/ |…
Italian Philosophers 4 Monica
  • 372
  • 2
  • 15
16
votes
1 answer

Unpublished modules on npm: could an attacker take advantage of their former notoriety?

Earlier this week, Azer Koçulu decided to unpublish his modules from npm, the default package manager for Node.js. He had published 273 modules in total. Some major modules, like Babel and React, relied on one of them: left-pad, and a lot of npm…
Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
12
votes
3 answers

How to vet third-party developer packages

Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in the form…
user277711
  • 123
  • 1
  • 4
12
votes
3 answers

Does python's pip provide cryptographic authentication and integrity validation?

Does python's pip package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I see a lot of guides providing installation instructions with steps asking…
Michael Altfield
  • 826
  • 4
  • 19
12
votes
1 answer

Is it safe to use Python package managers like pip, easy_install or conda?

I know it is unsafe to install software (including Python packages) from not trusted or compromised sources. However I wonder how safe I am when I am installing a trusted package from Python Package Index or from Anaconda repository (which I also…
abukaj
  • 273
  • 2
  • 7
9
votes
1 answer

How Homebrew may impact your Mac's security

I read (here and here) that Homebrew (the Unix package manager) is a significant Mac security risk. An attack is allowed because Homebrew makes /usr/local/bin writable without root user privilege, which allows another Homebrew process to write a…
Nick
  • 247
  • 2
  • 5
8
votes
3 answers

Recent ESLint hack or how can we protect ourselves from installing malicious npm packages?

Recently, eslint-scope and eslint-config-eslint packages were hacked in an interesting way - one of the maintainer's account was compromised by an attacker and a new "patch" version with the malicious code was published to the npm registry. This…
alecxe
  • 1,515
  • 5
  • 19
  • 34
7
votes
2 answers

Are devDependencies in Node.js exploitable?

I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency. But from a research prospective, I want to know whether a vulnerability in development…
LGDGODV
  • 143
  • 5
6
votes
2 answers

What risks are involved with installing gems from rubygems.org? Are alternatives safer?

Normally, when installing a Ruby gem, I'd ask my system admin to do sudo gem install gemname However, there was recently a security breach with the source of gems, http://rubygems.org , and I'm wondering how safe this is, and whether alternatives…
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27
5
votes
1 answer

Malicious NPM Package - Does it fit into OWASP Top Ten 2017?

On various security forums I have seen links to a post about a fictive malicious NPM package harvesting information. The posts title: I’m harvesting credit card numbers and passwords from your site. Here’s how. The best quote in the post in my…
Ogglas
  • 677
  • 4
  • 12
  • 26
5
votes
1 answer

Quantitative Security Analysis of Open Source Repos like CRAN and NPM

Is anyone aware of any quantitative analysis or research on the security of CRAN or NPM? e.g. How much malware is hosted, rate of compromise, speed to close, number of attack vectors, CERT reports etc etc. I'm trying to get a sense of the level of…
Colin
  • 181
  • 4
4
votes
2 answers

Is the action of adding non-official repositories to Linux dangerous by itself?

Is the action of adding non-official (third party) repositories to Linux dangerous by itself? For example, in Debian environments one could do: add-apt-repository ppa:some_non_official_repository/nor_name I don't mean to the actual download of…
Arcticooling
  • 269
  • 2
  • 13
3
votes
2 answers

How to protect from dependency confusion attacks?

I recently came across following article https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ it describe about an exploit which exploit design flaws of different package managers ex:…
user158
  • 181
  • 1
  • 7
3
votes
2 answers

How much damage can a malicious package do with just "npm install "?

I had a typo and npm installed something that is similar in name to something very popular -- I was concerned about typosquatting. It's quite plausibly legitimate and just a coincidence. I looked at the corresponding package and didn't see…
user237586
  • 31
  • 1
1
2 3 4