GitHub ya bayyana abubuwa biyu da suka faru a cikin tsarin ajiyar kayan aikin NPM. A ranar 2 ga Nuwamba, masu bincike kan tsaro na ɓangare na uku (Kajetan Grzybowski da Maciej Piechota) sun ba da rahoton rauni a cikin ma'ajiyar NPM ta hanyar shirin fa'idar kwari. Wannan rauni yana ba wa wani damar buga sabon sigar kowane fakiti ta amfani da asusun da ba a ba shi izinin yin irin waɗannan sabuntawa ba.
Rashin lafiyar ta faru ne sakamakon rashin izinin da aka yi amfani da shi a cikin lambar ayyukan microservices da ke kula da buƙatun NPM. Sabis ɗin izini ya duba haƙƙin samun damar fakitin bisa ga bayanan da aka bayar a cikin buƙatar, amma wani sabis, wanda ke loda sabuntawar zuwa ma'ajiyar, ya tantance wane fakitin za a buga bisa ga bayanan da ke cikin fakitin da aka ɗora. Don haka, mai hari zai iya neman sabuntawa don fakitin nasa, wanda yake da damar shiga, amma ya ƙayyade bayani game da wani fakitin a cikin fakitin da kansa, wanda daga baya za a sabunta shi.
An gyara matsalar awanni shida bayan an bayar da rahoton raunin, amma ta ci gaba da kasancewa a cikin NPM fiye da yadda aka rufe bayanan telemetry. GitHub ya yi iƙirarin cewa ba a gano wata alama ta hare-hare ta amfani da wannan raunin ba tun Satumba 2020, amma babu tabbacin cewa ba a taɓa amfani da matsalar ba a da.
Lamarin na biyu ya faru ne a ranar 26 ga Oktoba. A lokacin kula da rumbun adana bayanai na replicate.npmjs.com, an gano bayanan sirri a cikin rumbun adana bayanai na waje, wanda ke bayyana bayanai game da sunayen fakitin ciki da aka ambata a cikin rajistar canjin. Ana iya amfani da bayanai game da irin waɗannan sunaye don kai hari ga dogaro a cikin ayyukan cikin gida (a watan Fabrairu, irin wannan harin ya ba da damar aiwatar da lambar a kan sabobin PayPal, Microsoft, Apple, Netflix, Uber da wasu kamfanoni 30).
Bugu da ƙari, saboda ƙaruwar yawan ma'ajiyar manyan ayyuka da ake karɓa da kuma amfani da lambar ɓarna ta hanyar yin sulhu da asusun masu haɓakawa, GitHub ya yanke shawarar gabatar da ingantaccen tabbaci mai matakai biyu. Wannan canjin zai fara aiki a kwata na farko na 2022 kuma zai shafi masu kula da kuma masu gudanar da fakitin da aka haɗa a cikin jerin waɗanda suka fi shahara. Bugu da ƙari, an sanar da haɓaka ababen more rayuwa, wanda zai haɗa da sa ido ta atomatik da nazarin sabbin nau'ikan fakiti don gano canje-canje masu cutarwa da wuri.
A matsayin tunatarwa, a cewar wani bincike na 2020, kashi 9.27% ne kawai na masu kula da fakiti ke amfani da tantancewa mai matakai biyu don kare damar shiga, kuma a cikin kashi 13.37% na lokuta, masu haɓaka fakiti sun yi ƙoƙarin sake amfani da kalmomin shiga da aka lalata daga ɓoye kalmar sirri da aka sani lokacin yin rijistar sabbin asusu. Binciken ƙarfin kalmar sirri ya nuna cewa kashi 12% na asusun NPM (kashi 13% na fakiti) sun lalace saboda amfani da kalmomin shiga masu faɗi da marasa mahimmanci, kamar "123456." Daga cikin asusun da abin ya shafa akwai asusun mai amfani guda huɗu daga cikin manyan fakiti 20 mafi shahara, asusu 13 tare da fakiti da aka sauke sama da sau miliyan 50 a wata, 40 tare da saukarwa sama da miliyan 10 a wata, da kuma 282 tare da saukarwa sama da miliyan 1 a wata. Idan aka yi la'akari da lodawa ta hanyar sarkar dogaro, warwarewar takardun shaidar da ba a amince da su ba zai iya shafar har zuwa kashi 52% na dukkan sassan NPM.
source: budenet.ru
