Readit News logoReadit News
axsharma commented on NPM 'accidentally' removes Stylus package, breaks builds and pipelines   bleepingcomputer.com/news... · Posted by u/daninet
Ukv · 8 months ago
> Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered.

Verifying that a package is unaffected can take some time. NPM may not know specifically when that package owner was compromised, or even if they've been a malicious actor the whole time, so the fact that there was no recent version isn't a guarantee of safety. Putting a security hold on the package in the meantime seems a reasonable approach.

> Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.

That it's frequently downloaded also makes it more pressing to block if there's a reasonable chance that it contains malware.

axsharma · 8 months ago
> "even if they've been a malicious actor the whole time"

That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).

Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic. https://www.npmjs.com/package/stylus

axsharma commented on NPM 'accidentally' removes Stylus package, breaks builds and pipelines   bleepingcomputer.com/news... · Posted by u/daninet
joshstrange · 8 months ago
> "Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that's the story here. A big false alarm by NPM," states Abai.

These seems completely reasonable. After posting 3 malicious packages they disabled all other packages for which he was a maintainer (could push updates).

"Accidentally" doesn't really fit with my reading. Maybe Stylus is clean but this move seems completely rational.

axsharma · 8 months ago
Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered. Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.

Fwiw, npm appears to be restoring access to the project https://github.com/stylus/stylus/issues/2938#issue-325479314...

Posted by u/axsharma a year ago
Fake VS Code extension on NPM uses altered ScreenConnect utility as spywaresonatype.com/blog/fake-vs...
axsharma commented on Fake VS Code Extension on NPM Spreads Multi-Stage Malware   mend.io/blog/fake-vs-code... · Posted by u/tomabai
axsharma · a year ago
Interesting, blogged about this Feb 5th https://www.sonatype.com/blog/fake-vs-code-extension-on-npm-...
axsharma commented on Can AI Create a White Painting?   codyznash.github.io/white... · Posted by u/axsharma
sp332 · 2 years ago
Halfway down, next to the caption "Smooth even all white background", is this image: https://codyznash.github.io/white_paintings/images/SDXL_2.pn... Doesn't that count?
axsharma · 2 years ago
Close, that's more gray with a tint.

Deleted Comment

Posted by u/axsharma 2 years ago
Can AI Create a White Painting?codyznash.github.io/white...
axsharma commented on UK to replace physical biometric immigration cards with e-visas   bleepingcomputer.com/news... · Posted by u/edward
dogma1138 · 2 years ago
In the UK a standard account (and many other services) is a legal right, as such the guidelines are quite specific.
axsharma · 2 years ago
GOV.UK seems conflicted about it lol "You usually do not need a BRP to open a bank account. Contact the bank to check if you’ll need a BRP or if you can use a different document." https://www.gov.uk/biometric-residence-permits/prove-your-st...

"The biometric residence permit is proof of the holder’s right to stay, work or study in the UK. It can also be used as a form of identification (for example, if they wish to open a bank account in the UK). https://assets.publishing.service.gov.uk/government/uploads/...

:')

axsharma commented on UK to replace physical biometric immigration cards with e-visas   bleepingcomputer.com/news... · Posted by u/edward
dogma1138 · 2 years ago
If you look at Lloyd’s under the actual documents accepted they don’t list it there.

They even state that: “The Biometric Residence Permit card may not be accepted in all our online journeys. You may need to provide additional documentation.”

Both HSBC and Barclays don’t accept them, not even to pick up a card from a branch.

EU identity cards are accepted but UK BRP and BRCs aren’t https://noidnosale.com/acceptable-forms-of-id-in-the-uk

If you managed to use yours for anything other than border control then it’s because whoever inspected it didn’t knew the rules.

axsharma · 2 years ago
Good point, rather interesting they state "in all our online journeys," rather than in-person.

Anytime I've had to verify identity online for bank account opening, it entailed taking a photo of my ID which then goes through automated ID checks via Jumio or similar APIs.

axsharma commented on UK to replace physical biometric immigration cards with e-visas   bleepingcomputer.com/news... · Posted by u/edward
dogma1138 · 2 years ago
These cards are not a valid form of ID in the UK, you can’t open a bank account with a biometric permit. If you are a foreigner on a visa you have to use your passport to open a bank account, all the card does is prove that you have temporary or permanent leave to remain.

They currently have absolutely no use other than border control.

Source: I have one.

axsharma · 2 years ago
You need your passport if you've only got a vignette or in-passport visa sticker.

BRP is often accepted, in lieu of driving license for bank account opening. https://www.lloydsbank.com/legal/proof-of-identity.html

I wouldn't call it a "not valid form of ID," when you can use them to board domestic flights, prove your age at establishments, and practically use it as an ID where they'd otherwise accept a driving license for ID.

PS: I hold one too.

a

u/axsharma

KarmaCake day261May 25, 2020
About
Security Researcher & Tech Reporter

@Ax_Sharma AxSharma.com

View Original