GitHub yakaburitsa zviitiko zviviri muNPM pasuru repository zvivakwa. Musi waNovember 2, vechitatu-bato vanoongorora kuchengetedza (Kajetan Grzybowski naMaciej Piechota), sechikamu cheBug Bounty chirongwa, vakashuma kuvapo kwekusagadzikana muNPM repository iyo inobvumidza iwe kuburitsa vhezheni nyowani chero pasuru uchishandisa account yako, iyo isina mvumo yekuita zvigadziriso zvakadaro.
Kusagadzikana kwakakonzerwa nekutarisa zvisirizvo mvumo mukodhi yemicroservices inogadzirisa zvikumbiro kuNPM. Iyo sevhisi yemvumo yakaita cheki yemvumo yepakiti zvichibva pane data rakapfuudzwa muchikumbiro, asi imwe sevhisi yakaisa iyo yekuvandudza kune repository yakasarudza pasuru yekushambadza zvichibva pane metadata yemukati wepakeji yakarodha. Nekudaro, munhu anorwisa anogona kukumbira kuburitswa kweyekuvandudza pasuru yake, yaanokwanisa kuwana, asi tsanangura mupakeji pachayo ruzivo nezveimwe pasuru, iyo inozopedzisira yagadziridzwa.
Nyaya yakagadziriswa maawa matanhatu mushure mekunge kusagadzikana kwataurwa, asi kusagadzikana kwaivepo muNPM kwenguva refu kupfuura telemetry logs cover. GitHub inoti hapasati pave nekuteedzeka kwekurwiswa uchishandisa kusazvibata uku kubva munaGunyana 6, asi hapana vimbiso yekuti dambudziko harisati ramboshandiswa.
Chiitiko chechipiri chakaitika musi wa26 Gumiguru. Munguva yebasa rehunyanzvi nedatabase replicate.npmjs.com sevhisi, kuvapo kwedata rakavanzika mudhatabhesi rinowanikwa kune zvikumbiro zvekunze kwakaburitswa, zvichiburitsa ruzivo nezvemazita emapakeji emukati akataurwa murogi yekuchinja. Ruzivo rwemazita akadai runogona kushandiswa kuita kurwiswa kwekutsamira pamapurojekiti emukati (muna Kukadzi, kurwiswa kwakafanana kwakabvumira kodhi kuti iitwe pamaseva ePayPal, Microsoft, Apple, Netflix, Uber nemamwe makambani makumi matatu).
Pamusoro pezvo, nekuda kwekuwedzera kwenhamba yenyaya dzekuchengetera mapurojekiti makuru ari kubiwa uye kodhi ine hutsinye iri kusimudzirwa kuburikidza nekukanganisa maakaundi evagadziri, GitHub yafunga kuunza zvinosungirwa-zvinhu zviviri-zvechokwadi. Shanduko iyi ichatanga kushanda mukota yekutanga ya2022 uye ichashanda kune vanochengeta uye nevatungamiriri vemapakeji anosanganisirwa mune inonyanya kufarirwa runyorwa. Pamusoro pezvo, zvinoshumwa nezvekuvandudzwa kwezvivakwa, umo otomatiki kutarisa uye kuongororwa kweshanduro nyowani dzepakeji ichaunzwa kuti ionekwe kwekutanga kwekuchinja kwakashata.
Ngatiyeukei kuti, maererano neongororo yakaitwa muna 2020, 9.27% ββchete yevagadziri vepasuru vanoshandisa maviri-factor authentication kuchengetedza kupinda, uye mu13.37% yezviitiko, pakunyoresa maakaundi matsva, vanogadzira vakaedza kushandisa zvakare mapassword akakanganiswa akaonekwa mukati. inozivikanwa password inobuda. Munguva yekuongorora kuchengetedza password, 12% yeNPM maakaunti (13% yemapakeji) yakawanikwa nekuda kwekushandiswa kweanofungidzira uye asina mapassword akadai se "123456." Pakati pezvainetsa paiva nemaakaundi mana emushandisi kubva kuPamusoro makumi maviri anonyanya kufarirwa mapakeji, gumi nematatu maakaundi ane mapakeji akatorwa kanopfuura 4 miriyoni pamwedzi, makumi mana aine anopfuura mamirioni gumi ekurodha pamwedzi, uye makumi maviri nemasere ane anopfuura miriyoni imwe yekurodha pamwedzi. Tichifunga nezve kurodha kwemamodule pamwe neketani yekutsamira, kukanganisa kwemaakaundi asina kuvimbika kunogona kukanganisa kusvika 20% yemamodule ese muNPM.
Source: opennet.ru