Site n'imebi usoro mwepụta nke ọrụ TanStack nke GitHub Actions, ndị wakporo nwere ike ibipụta ụdị ọjọọ 84 nke ngwugwu NPM 42 site na TanStack stack gaa na ebe nchekwa NPM. E budatara ụfọdụ n'ime ngwugwu ndị a na-emebi emebi ihe karịrị ugboro nde 10 kwa izu.
Enwetara ohere ịnweta mbipụta mwepụta n'ihi ntọala "Pwn Request" nke pull_request_target na-ezighi ezi na GitHub Actions (ịkọwa ihe mkpuchi ihu na ntọala ahụ dugara na mmalite nke pull_request_target maka arịrịọ ịdọrọ nye ndị ọzọ), imebi ihe nchekwa GitHub Actions site na ndụdụ, na ikike iwepụ ihe nrịbama OIDC na ebe nchekwa nke usoro ọsọ ọsọ (Runner.Worker) site na ịgụ ihe dị na /proc/ /mem.
E bipụtara ngwugwu NPM nwere mgbanwe ọjọọ na Mee 11 n'etiti elekere iri na abụọ nke ehihie na elekere iri na abụọ nke ehihie (MSK), achọpụtara nkeji iri abụọ ka nke ahụ gasịrị, ma gbochie otu awa na ọkara ka nke ahụ gasịrị. E wepụtara ụdị ọjọọ abụọ nke ngwugwu NPM ọ bụla metụtara, nke ọ bụla nwere koodu iji mee ka obere ikpuru shai-hulud rụọ ọrụ, nke na-achọ ihe nrịbama na asambodo dị na gburugburu ebe dị ugbu a. Ọ bụrụ na achọpụtara ihe nrịbama njikọ na ndekọ NPM, ikpuru ahụ bipụtara mwepụta ọjọọ ọhụrụ maka ngwugwu a na-emepụta na gburugburu ebe dị ugbu a, na-emetụta osisi ịdabere. Ihe karịrị ngwugwu NPM 400 nke jiri ngwugwu TanStack dị ka ihe ndabere metụtara n'ụzọ dị otu a.
E tinyere ikpuru ahụ na faịlụ router_init.js ma rụọ ọrụ mgbe onye nrụpụta tinyere ngwugwu ahụ aka ma ọ bụ na akpaghị aka na gburugburu njikọta na-aga n'ihu site na iji iwu "npm install," "pnpm install," ma ọ bụ "yarn install." Ozugbo etinyere ya, ikpuru ahụ chọrọ sistemụ ahụ maka tokens maka NPM (~/.npmrc), AWS, GCP, Azure, HashiCorp, na KubernetesK8s, yana igodo nzuzo SSH. E zigara data ọ chọtara nye ndị wakporo site na ozi P2P decentralized getsession.org.
E mere ikpuru ahụ ka ọ rụọ ọrụ mbibi ma ọ bụrụ na e wepụ ihe nrịbama NPM a nwụchiri. E mere sistemụ ahụ ka ọ na-agba ọsọ edemede ~/.local/bin/gh-token-monitor.sh mgbe niile, nke na-enyocha ọrụ nke ihe nrịbama ahụ kwa sekọnd iri isii site na ịnweta api.github.com/user, ma ọ bụrụ na ihe nrịbama ahụ ewepụ, o mere iwu "rm -rf ~/".
isi: opennet.ru
