I just started seeing this in my build logs for a ...
# javascriptc
Carter
10/22/2021, 3:06 PMI just started seeing this in my build logs for a Kotlin Multiplatform project that’s compiled to Javascript
Copy code
> Task :kotlinNpmInstall
warning workspace-aggregator-107d151b-247f-41fa-81dd-c9032d26021f > Project-lib-test > karma > ua-parser-js@0.7.29: this package has been hijacked Copy code
js(IR) {
browser {
testTask {
useKarma {
useChromeHeadless()
...b
Big Chungus
10/22/2021, 3:31 PMDeclare devNpm dependency on higher version of package to override
n
Nicolas Acart
10/22/2021, 4:38 PMI had the same problem, and less than an hour later I realized that a malware (Crypto miner) had been installed on my machine. Seems to be a wrapped library from Kotlin multiplatform that use the package : ua-parser-js. This package has been hijacked :
https://github.com/faisalman/ua-parser-js/issues/536
I recommend you to run a scan on your PC
r
Robert Jaros
10/22/2021, 5:03 PMIt's a bit scary ... run some tests with your kotlin project - end up with lost passwords, crypto malware installed and "who knows what else", because some tiny npm project you've never heard about was compromised 😞
👍 5
b
Big Chungus
10/22/2021, 5:04 PMWhat's even scarier is that linux is also affected
👍 2
n
Nicolas Acart
10/22/2021, 5:10 PMIndeed, I am in the process of logging out of all my accounts to invalidate the sessions. I think my passwords are safe because they are stored in a password manager (BitWarden). For security I am also resetting my ssh key etc. But I have to admit that I'm a bit afraid to forget something important.
b
Big Chungus
10/22/2021, 5:28 PMThank god I'm always to lazy to write karma tests for my webapps
😀 1
c
Carter
10/22/2021, 5:47 PMI found that my desktop was using a cached version so I think I'm safe. I looked under build/js/node_modules/ua-parser-js/ and didn’t see the bad 0.7.29 version had been downloaded.
Carter
10/22/2021, 5:48 PMSo if you’re not sure whether the bad version was downloaded, this could be something to check.
m
mbonnin
10/22/2021, 7:04 PMIs there an easy way to confirm/infirm a Gradle project has been exposed? There could be other packages beyond karma using this?
b
Big Chungus
10/22/2021, 7:05 PMOn linux run "ps -aux | grep jsextension"
🙏 1
c
Carter
10/22/2021, 7:06 PMI’m currently looking into how to prevent npm/yarn from executing arbitrary code when they download packages. There’s documentation on how to do that generally, but I’m trying to figure out if there’s anything special that needs to do when the Kotlin is invoking them.
n
Nicolas Acart
10/22/2021, 7:15 PMOn any machine, you can go to the build directory of your project and search for "jsextension".
On windows, the name of the file is "jsextension.exe" and the description of it is not even trying to hide something :
Nicolas Acart
10/22/2021, 7:17 PM@Carter if you find a way, im interested ! 🙂
Nicolas Acart
10/22/2021, 7:20 PMunknown-4.png
c
Carter
10/22/2021, 7:21 PMAt a high level, this is how it is done globally. But I’m trying to determine whether Kotlin respects that.
Better would be figuring out what incantation to put into the Gradle DSL. Because that makes the project safer for everyone checking it out.
h
hfhbd
10/22/2021, 7:27 PMDid anyone create a ticket on youtrack with
Security problemnope 3
r
rnett
10/22/2021, 8:05 PM@hfhbd are you doing it? Or should I
h
hfhbd
10/22/2021, 8:58 PMSorry for the delay, I created https://youtrack.jetbrains.com/issue/KT-49383
hfhbd
10/22/2021, 9:17 PMWorkaround:
Depend on a non affected version in your test dependencies.
New projects will auto use the non-affected version
0.7.30 Copy code
dependencies {
testImplementation(kotlin("test"))
testImplementation(npm("ua-parser-js", "0.7.30")) // 0.7.29 is affected
}npm install --ignore-scriptsnpm config set ignore-scripts true👍 1
r
Robert Jaros
10/23/2021, 4:00 AMb
bashor
10/24/2021, 6:04 PM4 Views