DEV Community

Discussion on: npm package discovered to have bitcoin-stealing backdoor

Collapse
 
ulimn profile image
Ulimn

I'm curious: does Maven (Java) has issues like this? I'm thinking of Maven Central repository mainly here.

Collapse
 
fnh profile image
Fabian Holzer

I'm not aware of attacks that follow a similar format as the one described, but what is quite common is that you have a neglected POM file and thereby get outdated dependecies into your class path. There is for example a plugin for java build tools that checks your project depencencies against known vulnerabilites (OWASP_Dependency_Check).

The problem is, even if you are rather conservative with your third-parties, unless you eliminate them completely, the node ecosystem will still be too fragmented into small packages, as that anybody could ensure the integrity of all dependencies by manual review, which is frankly a major headache.