Ukuhlaselwa kwarekhodwa kubasebenzisi bohla lwemibhalo lwe-NPM, okubangele ukuthi ngo-February 20, amaphakheji angaphezu kwezinkulungwane ezingu-15 athunyelwe endaweni yokugcina ye-NPM, amafayela e-README ayequkethe izixhumanisi eziya kumasayithi obugebengu bokweba imininingwane ebucayi noma izixhumanisi zokudlulisela ukuze uchofoze ukuthi yiziphi izinzuzo. ziyakhokhelwa. Ngesikhathi sokuhlaziya, izixhumanisi zobugebengu bokweba imininingwane ebucayi eziyi-190 noma zokukhangisa zihlonzwe kumaphakheji, afaka izizinda ezingama-31.
Amagama amaphakheji akhethiwe ukuze ahehe isithakazelo sabantu abavamile, isibonelo, "i-free-tiktok-followers", "free-xbox-codes", "instagram-followers-free", njll. Isibalo senzelwe ukugcwalisa uhlu lwezibuyekezo zakamuva ekhasini eliyinhloko le-NPM ngamaphakheji ogaxekile. Izincazelo zamaphakheji zihlanganisa izixhumanisi ezithembisa ukuphiwa kwamahhala, izipho, ukukopela komdlalo, kanye nezinsizakalo zamahhala zokwandisa abalandeli nokuthandwa ezinkundleni zokuxhumana ezifana neTikTok ne-Instagram. Lokhu akukhona ukuhlasela kokuqala okunjalo; ngoDisemba, ukushicilelwa kwamaphakheji ogaxekile ayizinkulungwane ezingu-144 kwabhalwa ohlwini lwemibhalo lwe-NuGet, NPM kanye ne-PyPi.
Okuqukethwe kwamaphakheji kukhiqizwe ngokuzenzakalelayo kusetshenziswa iskripthi se-python ngokusobala esishiywe ngokungazi emaphaketheni futhi kufaka phakathi izifakazelo zomsebenzi ezisetshenziswe ekuhlaselweni. Amaphakheji ashicilelwe ngaphansi kwama-akhawunti amaningi ahlukene kusetshenziswa izindlela ezenze kwaba nzima ukuqaqa umkhondo nokuhlonza amaphakheji ayinkinga ngokushesha.
Ngokungeziwe emisebenzini yokukhwabanisa, imizamo embalwa yokushicilela amaphakheji anonya iphinde yatholwa kumakhosombe e-NPM kanye ne-PyPi:
- Amaphakheji anonya angu-451 atholwe endaweni yokugcina ye-PyPI, eyazenza imitapo yolwazi edumile esebenzisa i-typequatting (ukunikeza amagama afanayo ahluke ngezinhlamvu ngazinye, isibonelo, i-vper esikhundleni se-vyper, bitcoinnlib esikhundleni se-bitcoinlib, i-ccryptofeed esikhundleni se-cryptofeed, ccxtt esikhundleni se-cryptofeed. ccxt, i-cryptocommpare esikhundleni se-cryptocompare, i-seleium esikhundleni se-selenium, i-pinstaller esikhundleni se-pyinstaller, njll.). Amaphakheji afaka ikhodi engaqondakali yokweba i-cryptocurrency, ethole ukuba khona kwezihlonzi ze-crypto wallet ebhodini lokunamathisela futhi yazishintsha esikhwameni somhlaseli (kucatshangwa ukuthi lapho wenza inkokhelo, isisulu ngeke siqaphele ukuthi inombolo ye-wallet idluliselwe ebhodini lokunamathisela. ihlukile). Ukushintsha kwenziwe isengezo sesiphequluli esasetshenziswa kumongo wekhasi ngalinye lewebhu elibukiwe.
- Uchungechunge lwemitapo yolwazi ye-HTTP eyingozi ikhonjwe endaweni ye-PyPI. Umsebenzi onobungozi utholwe kumaphakheji angu-41, amagama awo akhethwe kusetshenziswa izindlela ze-typequatting futhi afane nemitapo yolwazi edumile (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, njll.). Ukufakwa kufakwe isitayela ukuze kufane nemitapo yolwazi ye-HTTP esebenzayo noma kwakopishwa ikhodi yemitapo yolwazi ekhona, futhi incazelo yayihlanganisa izimangalo mayelana nezinzuzo nokuqhathaniswa namalabhulali asemthethweni e-HTTP. Umsebenzi onobungozi ububandakanya ukulanda uhlelo olungayilungele ikhompuyutha kusistimu noma ukuqoqa nokuthumela idatha ebucayi.
- I-NPM ihlonze amaphakheji e-JavaScript ayi-16 (speedte*, trova*, lagra), okuthi, ngaphezu komsebenzi oshiwo (ukuhlolwa komphumela), aqukethe nekhodi ye-cryptocurrency yezimayini ngaphandle kolwazi lomsebenzisi.
- I-NPM ikhombe amaphakheji anonya angama-691. Iningi lamaphakheji ayinkinga azenza amaphrojekthi we-Yandex (i-yandex-logger-sentry, i-yandex-logger-qloud, i-yandex-sendsms, njll.) futhi afaka ikhodi yokuthumela ulwazi oluyimfihlo kumaseva angaphandle. Kucatshangwa ukuthi labo abathumele amaphakheji bebezama ukuzuza ukufaka esikhundleni sokuncika kwabo lapho behlanganisa amaphrojekthi ku-Yandex (indlela yokufaka esikhundleni sokuncika kwangaphakathi). Kunqolobane ye-PyPI, abacwaningi abafanayo bathola amaphakheji angu-49 (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, njll.) anekhodi engalungile e-obfuscated elanda futhi isebenzise ifayela elisebenzisekayo kusuka kuseva yangaphandle.
Source: opennet.ru