c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
Is npm inherently more insecure than other package managers (like yarn, or even package managers for other languages like pip or whatever) or do I just happen to hear about npm vulnerabilities more?
This article talks about "typosquating", that just means they introduced packages with a similar name to other packages but in this case also containing malicious code.
I expect other package managers to be just as vulnerable to this. The only way I can think of to mitigate this is very strict registry policies, someone checking all version of all packages in the registry to make sure there is no malicious code in them. That would take a lot of effort.
I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.
I don't believe yarn is any more secure than npm, especially not for this type of attack. Yarn used to be a bit more secure because it checked checksums where npm didn't, but that has been added to npm as well now (https://sebhastian.com/npm-err-code-eintegrity/)
I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.
I guess that makes sense. For peak security I guess its best to use a niche programming languages to avoid that kind of thing