Maybe a Vericode scan could be included and if passing, append a '.vta' (vericode tested & approved) extension to the end of the version. And have the ability in the package.json to only pull in libraries with the .vta extension? Probably some issues with this, but I'd be more confident if I knew the libraries were scanned.
Just curious to know why don't we have security in place before pushing any package just like the app store which accepts only if everything is fine? If it is because so many packages per day then if security comes in place authors will also be mindful in publishing as it takes time to get published.
Yeah, learning about these NPM exploits made me decide to use a VM for all local development. The other issue is NPM security warnings in CLI feel useless right now.
similar to half a year or more ago with the a different public library heavily used, with a difference that the owner of the library wanted to move maintainer role to someone else as he couldnt continue and the person he gave the trust in had malicious intent, so no hacking to the npm publishing profile was made. ANY dependencies, doesnt have to be npm, are a double edge swords', they make it easier to create software but require huge amounts of trust that is sometimes misplaced. If doesnt have to be ill intent people, just read about the left-pad incident to understand the level of trust were dealing with
these attacks are happing because Microsoft has an offer of a 25k $ price pool, anybody who found a vulnerability in the npm package, one of my friends is also doing this.
I’m seriously thinking of making a new git repo just for dependencies that have been audited and adding it as a sub module where needed. It’s definitely going to make me think really hard about adding a new dependency.
Your credit card is kept on the table, cropped the image and cleared it using one of the ML tool card number and expiry date is exposed by you You should care more about your security than NPM's
Unfortunately we also became the victim of this hijacking. Our private npm registry cached that package within those 20 mins before NPM itself actually removed the compromised versions.
Being a Penetration tester for years and answering such wild topic is next level for me :) , but this guys makes everything feel forget about it :)
The way you deliver information has evolved and I wasn't expecting this way. Anyway liked it ❤
This Video is Only Expected from Hitesh Sir, Love the way U teach 👏 🙌 One stop Solution to Everything Hitesh Choudhary
Thanks 😁
@@HiteshCodeLab could you tell me the name of the song, l like that
@@kapilkumar-rk8fe ++
1:12 please tell about this... who writes these papers? what actually it contains? and how to be a part of it? (as a developer)
please help through
This was incredible. Thanks. Gonna look at some of your courses now.
Maybe a Vericode scan could be included and if passing, append a '.vta' (vericode tested & approved) extension to the end of the version. And have the ability in the package.json to only pull in libraries with the .vta extension? Probably some issues with this, but I'd be more confident if I knew the libraries were scanned.
💯🔥spicy video 😂+informative .. hacker Hitesh 🤣
can you explain what `npm audit fix` command does in brief ?
Sir I have taken your mern course..do I need the full backend course ?
If this happens in the future, how do we fix things in our package?
Just npm install 🤔?
Now I understood why all of our team were running behind updating ua-parser-js version in our project last week...
Now you know it. 🙂
Just curious to know why don't we have security in place before pushing any package just like the app store which accepts only if everything is fine? If it is because so many packages per day then if security comes in place authors will also be mindful in publishing as it takes time to get published.
Hi Hitesh , can you make video on how to write test cases in react js
Yeah, learning about these NPM exploits made me decide to use a VM for all local development. The other issue is NPM security warnings in CLI feel useless right now.
@Contact From what understand WSL does minimize the attack surface but is still less secure than a full VM
Outro song ?
similar to half a year or more ago with the a different public library heavily used, with a difference that the owner of the library wanted to move maintainer role to someone else as he couldnt continue and the person he gave the trust in had malicious intent, so no hacking to the npm publishing profile was made. ANY dependencies, doesnt have to be npm, are a double edge swords', they make it easier to create software but require huge amounts of trust that is sometimes misplaced. If doesnt have to be ill intent people, just read about the left-pad incident to understand the level of trust were dealing with
Angular & React Developers left the chat 😂
Need to have verified tag for packages.. and hash verification of packages can be done
Hitesh , I like your metalic t-shirt , I was trying to find it , please tell me where did you get it , it seems pretty light weight
Really a important video I also use a lot of npm packages and I think we should always know about their security
Absolutely
There is debit card on your desk .? Logo looks like of hdfc bank visa card
Cute how you brought about your suggestion of subscribing to your channel 😀
Do this course for back end web development?
Do you have any full stack web development course?
Very informative, thanks Hitesh for this.
Card on the desk. Security 😜
Hahaha, that’s a dummy card to test
You came up with spicy information video not just spicy video 😅..
Truly said 👏 💯
Make a video on Remix framework
Thanks for sharing the news
Hi Hitesh sir. Can you make a tutorial on apache wicket framework? Or can you provide any material please?? Thanks
Your thumbnail is awesome
Thanks 🙂
these attacks are happing because Microsoft has an offer of a 25k $ price pool, anybody who found a vulnerability in the npm package, one of my friends is also doing this.
This is scary AF!
Please make videos on application security
this give me chills
This is so spicy 🔥😍😍
Can't comprehend what sort of havoc would be caused if such attacks happen to libraries like moment js, lodash or rxjs .. holy shit 😅
I like how our security advisor Hitesh leaves his visa card on the desk while filming. Intentional? :P
Tools like synk might be help this
It was getting hacked by day one
No matter people like us got it now
Please make a course on web app security. It would be very helpful to a lot many.
That's why DENO came in to picture
Dependency Confusion attacked
Does Django is solutions for npm
atm card on the desk 😅😁
I hope this is there in backend development course
Sab krlo hum first hum first
Guess i'll use yarn
Before write first please refresh your comment box...
I always think about these
deno tries to solve that
I’m seriously thinking of making a new git repo just for dependencies that have been audited and adding it as a sub module where needed. It’s definitely going to make me think really hard about adding a new dependency.
Otp before uploading
Thanks Hitesh for the informative video. I wish no hacker is able to get data of your hdfc visa card that is kept on the table. 😁
🙏 Good day
Your credit card is kept on the table, cropped the image and cleared it using one of the ML tool
card number and expiry date is exposed by you
You should care more about your security than NPM's
Unfortunately we also became the victim of this hijacking. Our private npm registry cached that package within those 20 mins before NPM itself actually removed the compromised versions.
npm install security
your card sir
You have an npm crash course,😂 and npm has been crashed already!!
Fastest confirmation 🔝👍 believe me no one ☝️ does it better than this , best and fast
You are from spin the hack
666k subs😜😜😜😜😜
The new way.... To hack😁
By machines,
love from Pakistan
😀
🥈
First
Fastest confirmation 🔝👍 believe me no one ☝️ does it better than this , best and fast
First
First
First