Kuwukira kwa ogwiritsa ntchito chikwatu cha NPM kwadziwika. Pa February 20, mapaketi opitilira 15 adawonjezedwa kumalo osungirako a NPM. Mafayilo awo a README anali ndi maulalo ofikira patsamba lazachinyengo kapena maulalo otumizira ena omwe amapereka malipiro. Kuwunika kwa mapaketiwa kudavumbulutsa maulalo 190 apadera achinyengo kapena otsatsa, omwe amakhala ndi madambwe 31.
Mayina a phukusi adasankhidwa kuti akope chidwi cha anthu ambiri, mwachitsanzo, "otsatira-free-tiktok-otsatira," "makhodi aulere-xbox," "otsatira a instagram-opanda," ndi zina zotero. Cholinga chake chinali kudzaza mndandanda wazosintha zaposachedwa patsamba lofikira la NPM ndi mapaketi a spam. Kufotokozera kwa phukusili kumaphatikizapo maulalo olonjeza zopatsa zaulere, mphatso, chinyengo chamasewera, ndi ntchito zaulere zolimbikitsa otsatira ndi zokonda pamasamba ochezera monga TikTok ndi Instagram. Aka sikoyamba kuwukira kotere; mu Disembala, mapaketi a spam a 144 adasindikizidwa mu NuGet, NPM, ndi PyPi.
Zomwe zili m'gululi zidapangidwa zokha pogwiritsa ntchito script ya Python, mwachiwonekere idasiyidwa m'maphukusi, ndikuphatikiza zidziwitso zomwe zidagwiritsidwa ntchito pakuwukira. Phukusili lidasindikizidwa pansi pa maakaunti angapo osiyanasiyana pogwiritsa ntchito njira zomwe zimapangitsa kuti zikhale zovuta kutsata ndikuzindikira mwachangu mapaketi ovuta.
Kuphatikiza pakuchita zachinyengo, kuyesa kangapo kufalitsa mapaketi oyipa apezekanso m'nkhokwe za NPM ndi PyPi:
- 451 phukusi njiru anapezedwa mu PyPI chosungira amene anadzibisa okha monga malaibulale otchuka ntchito typosquatting (kugawa mayina ofanana ndi zilembo zosiyanasiyana, monga vper m'malo vyper, bitcoinnlib m'malo bitcoinlib, ccryptofeed m'malo cryptofeed, ccxtt m'malo ccxt, cryptocommpare m'malo mwa cryptocompare, selenium,installer etc.installer etc.installer etc.installer etc). Maphukusiwo adaphatikizirapo ma code akuba a cryptocurrency omwe adapeza ma ID a chikwama cha crypto pa clipboard ndikuyika chikwama cha wowukirayo (lingaliro ndilakuti wozunzidwayo sadzawona nambala yachikwama yomwe idakopedwa pa clipboard polipira). Kulowetsedwaku kudachitidwa ndi chowonjezera chamsakatuli chomwe chimayenda motsatira tsamba lililonse lomwe limawonedwa.
- Ma library angapo oyipa a HTTP adapezeka munkhokwe ya PyPI. Zochita zoyipa zidapezeka m'maphukusi 41, omwe mayina awo adasankhidwa pogwiritsa ntchito njira zolembera ndikufanana ndi malaibulale otchuka (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.). Zolipidwazo zidapangidwa kuti zifanane ndi malaibulale a HTTP omwe akugwira ntchito kapena kukopera zolemba zamalaibulale omwe analipo kale, ndipo mafotokozedwewo anali ndi zonena zaubwino wawo ndikufanizira ndi malaibulale ovomerezeka a HTTP. Ntchito yoyipayi inali kutsitsa pulogalamu yaumbanda kudongosolo kapena kusonkhanitsa ndi kutumiza zinsinsi.
- NPM idapezeka kuti ili ndi mapaketi 16 a JavaScript (speedte *, trova *, lagra) omwe, kuwonjezera pa magwiridwe antchito awo (kuyesa kwa bandwidth), analinso ndi kachidindo ka migodi ya cryptocurrency popanda kudziwa kwa wogwiritsa ntchito.
- Maphukusi 691 oipa adapezeka mu NPM. Maphukusi ambiri ovuta adasanzira mapulojekiti a Yandex (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, ndi zina zotero) ndipo adaphatikizapo khodi yotumizira zidziwitso zachinsinsi ku ma seva akunja. masevaAkukhulupirira kuti omwe adayika ma phukusiwo anali kuyesa kusintha ma dependencies awoawo pomanga mapulojekiti mu Yandex (njira yosinthira ma dependencies amkati). Mu malo osungira a PyPI, ofufuza omwewo adapeza ma phukusi 49 (reqsystem, httpxfaster, aio6, gorilla2, httpssos, pohttp, etc.) okhala ndi code yobisika yomwe imatsitsa ndikuyendetsa fayilo yoyeserera kuchokera ku seva yakunja. Seva.
Source: opennet.ru
