I-GitHub ibhengeze izehlo ezibini kwiziseko zogcino lwe-NPM yayo. Ngomhla we-2 kaNovemba, abaphandi bokhuseleko beqela lesithathu (uKajetan Grzybowski kunye noMaciej Piechota), njengenxalenye yenkqubo ye-Bug Bounty, babike ubukho bobuthathaka kwindawo yokugcina ye-NPM evumela ukuba ushicilele inguqu entsha yayo nayiphi na iphakheji usebenzisa i-akhawunti yakho, engagunyaziswanga ukwenza uhlaziyo olunjalo.
Ukuba sesichengeni kubangelwe kukuhlolwa kwemvume engachanekanga kwikhowudi yeenkonzo ezincinci eziqhuba izicelo kwi-NPM. Inkonzo yogunyaziso yenze ukuhlolwa kwemvume yephakheji ngokusekelwe kwidatha edluliselwe kwisicelo, kodwa enye inkonzo elayishe ukuhlaziywa kwindawo yokugcina imisela iphakheji yokupapasha ngokusekelwe kumxholo wemethadatha wephakheji elayishiwe. Ke, umhlaseli unokucela ukupapashwa kohlaziyo lwepakethe yakhe, anokufikelela kuyo, kodwa ucacise kwiphakheji ngokwayo ulwazi malunga nenye ipakethe, eya kuthi ekugqibeleni ihlaziywe.
Umba walungiswa kwiiyure ezi-6 emva kokuba ubuthathaka buchaziwe, kodwa ubuthathaka bebukho kwi-NPM ixesha elide kunokhuselo lwelogi yetelemetry. I-GitHub ibanga ukuba akukho mkhondo wokuhlaselwa kusetyenziswa obu buthathaka ukusukela ngoSeptemba ka-2020, kodwa akukho siqinisekiso sokuba le ngxaki ayizange isetyenziswe ngaphambili.
Isiganeko sesibini senzeka ngomhla wamashumi amabini anesithandathu kweyeDwarha. Ngethuba lomsebenzi wobugcisa kunye nedatha yenkonzo ye-replicate.npmjs.com, ubukho bedatha eyimfihlo kwi-database efikeleleke kwizicelo zangaphandle ibonakaliswe, ityhila ulwazi malunga namagama eepakethe zangaphakathi ezikhankanywe kwilogi yokutshintsha. Ulwazi malunga namagama anjalo lunokusetyenziswa ukwenza ukuhlaselwa kokuxhomekeka kwiiprojekthi zangaphakathi (ngoFebruwari, ukuhlaselwa okufanayo kuvunyelwe ikhowudi ukuba iqhutywe kwiiseva ze-PayPal, iMicrosoft, i-Apple, i-Netflix, i-Uber kunye nezinye iinkampani ze-26).
Ukongeza, ngenxa yokunyuka kwenani lamatyala ogcino lweeprojekthi ezinkulu ezithinjwayo kunye nekhowudi ekhohlakeleyo ekhuthazwayo ngokubeka esichengeni iiakhawunti zomphuhlisi, iGitHub igqibe ekubeni ingenise uqinisekiso olunyanzelekileyo lwezinto ezimbini. Utshintsho luya kuqalisa ukusebenza kwikota yokuqala ye-2022 kwaye luya kusebenza kubagcini kunye nabalawuli beepakethe ezifakwe kuluhlu oludumileyo. Ukongeza, kuxelwe malunga nokuphuculwa kweziseko zophuhliso, apho ukubekwa esweni okuzenzekelayo kunye nohlalutyo lweenguqulelo ezintsha zeepakethe ziya kwaziswa ukuze kubonwe kwangethuba utshintsho olubi.
Masikhumbule ukuba, ngokophononongo olwenziwa ngo-2020, kuphela yi-9.27% ββyabagcini bephakheji abasebenzisa ukuqinisekiswa kwezinto ezimbini ukukhusela ukufikelela, kwaye kwi-13.37% yamatyala, xa kubhaliswa ii-akhawunti ezintsha, abaphuhlisi bazama ukuphinda basebenzise iipasswords eziye zavela ukuvuza kwephasiwedi okwaziwayo. Ngexesha lokutshekisha ukhuseleko lwe-password, i-12% yeeakhawunti ze-NPM (i-13% yeepakethe) zafikelelwa ngenxa yokusetyenziswa kwamagama ayimfihlo aqikelelwayo nangenamsebenzi anjenge-"123456." Phakathi kwezona ngxaki zaziyi-akhawunti yabasebenzisi aba-4 ukusuka kwiiphakheji ezidumileyo ezingama-20, iiakhawunti ezili-13 ezineephakheji ezikhutshelwe ngaphezulu kwezigidi ezingama-50 ngenyanga, ezingama-40 ezinokukhutshelwa okungaphezulu kwezigidi ezili-10 ngenyanga, kunye ne-282 enokukhutshelwa okungaphezulu kwesigidi esi-1 ngenyanga. Ukuthathela ingqalelo ukulayishwa kweemodyuli kunye nekhonkco lokuxhomekeka, ukuthotyelwa kweeakhawunti ezingathembekanga kunokuchaphazela ukuya kuthi ga kwi-52% yazo zonke iimodyuli ze-NPM.
umthombo: opennet.ru