Umphakathi wezobuchwepheshe uyaphenya ukuhlaselwa kwe-NPM supply chain eqondise amalabhulali e-JavaScript asetshenziswa kakhulu. Ngokwamaqembu ezokuphepha amaningi, abahlaseli banyebeleza uhlelo olungayilungele ikhompuyutha olusebenza nge-crypto-clipper kumaphakheji asakazwa kabanzi, okungenzeka shintsha ukuthengiselana futhi uguqule imali ye-crypto.
Nakuba ububanzi obungase bube bukhulu ngenxa ye- ukuduma kwalokhu kuncika ku-ecosystem ye-JavaScriptUkuhlaziya kokuqala kukhomba kumthelela olinganiselwe wezomnotho: amanani amancane, angaphansi kwamakhulu ambalwa amadola, kubikwa ukuthi ahanjisiwe ngenkathi abahlinzeki kanye nerejista bathatha isinyathelo sokususa izinguqulo eziguquliwe.
Ukugxambukela kwenziwa kanjani
Ukungena kwaqala nge Ama-imeyili obugebengu bokweba imininingwane ebucayi alingisa ukwesekwa okusemthethweni kwe-npm, abagcini bephakheji abafuna ngenkani babuyekeza ukuqinisekiswa kwezinto ezimbili ngokushesha. Isayithi elingumgunyathi lithwebule izifakazelo nekhodi, evumela abahlaseli ukuthi balawule i-akhawunti enezimvume ezibanzi (ezihlotshaniswa nomphakathi nesibizo esithi "Qix") futhi shicilela izinguqulo ezoniwe yokusetshenziswa okuhlukahlukene.
Abacwaningi abafana ne-Aikido Security kanye neqoqo le-JDSTAERK bachaza umkhankaso okwaziyo lungisa okuqukethwe kumasayithi, cindezela amakholi we-API, futhi uguqule lokho umsebenzisi acabanga ukuthi uyasayina., okwandisa ubungozi bezinsizakalo zewebhu ezihlanganisa la malayibhulali ngamaketango ajulile okuncika.
Amaphakheji athintekile kanye nobubanzi
Igebe lithintekile izinsiza eziyisisekelo ezikhona kumaphrojekthi amaningi, ngakho-ke namakhompyutha angawafaki ngokuqondile abengavezwa ngokuncika kokushintshayo. Phakathi kwamagama ashiwo amafemu nonjiniyela bezokuphepha kukhona:
- ushoki, i-chalk-template, strip-ansi, slice-ansi, wrap-ansi, isekela-umbala
- guqula umbala, igama lombala, intambo yombala
- ansi-regex, ansi-styles, has-ansi
- debug, iphutha-ex, is-arrayish, simple-swizzle
- isekela-ama-hyperlink, i-backslash, i-proto-tinker-wc
Lezi zingcezu zesofthiwe ziyanqwabelana Izigidi zokulanda kweviki kanye namarekhodi angaphezu kwesigidigidi, ezisebenza njengezisekelo zokwakha eziyisisekelo zamaseva esimanje, amathuluzi omugqa womyalo, nezinhlelo zokusebenza zewebhu.
Isebenza kanjani uhlelo olungayilungele ikhompuyutha
Ikhodi enonya yasebenza njenge-a i-crypto-clipper: Ngokuthola izindawo ezinezikhwama zesofthiwe (isb. izandiso ezifana ne-MetaMask), ibambe idatha yokwenziwe ngaphambi nje kokusayina futhi kungene ikheli lendawo ngomunye olawulwa abahlaseli.
Uma ingasibonanga isikhwama semali esisebenzayo, isigxivizo sizame a ukucutshungulwa kolwazi kumaseva angaphandle. Ezimeni ze-wallet ezisebenzayo, ngaphezu kokukhohlisa amakholi e-API, igade ibhodi lokunamathisela ukuze ibhale kabusha amakheli akopishwe umsebenzisi, iqhinga lakudala kulolu hlobo lokukhwabanisa.
Ongoti baveza ukuthi labo qinisekisa imininingwane ku-wallet yehadiwe esikrinini Banomgoqo ongokoqobo ophazamisa le vector: ukuqinisekiswa kokugcina kwenziwa kudivayisi futhi ikheli elibonisiwe alikwazi ukuguqulwa yisiphequluli noma iwebhu.
Umthelela wangempela kuze kube manje
Naphezu kobukhulu bokuvezwa, imali ehanjiswe ngabahlaseli yayizoba kuncane kakhulu (amashumi kuya kumakhulu ambalwa amadola), ngokwemikhondo ehlukahlukene eyenziwe obala ngabacwaningi. Abahlinzeki abaningana ngokushesha baxwayise futhi ukubhalisa kungasebenzi okuthunyelwe onakalisiwe emahoreni ambalwa.
Amaqembu e-Crypto wallet namasevisi afana nalokhu Ledger, Trezor, MetaMask, Phantom noma Uniswap Babike ukuthi abathinteki yizinguqulo ezishintshiwe noma bavikelwe ukuvikela okunezingqimba. Nokho, batusa ukuthi kubuyekezwe ngokucophelela umsebenzi ngamunye osayiniwe futhi kugcinwe izinqubo zokuqinisekisa ezinhle.
Isexwayiso sonjiniyela sicacile: uma iphrojekthi ukuncika okubuyekeziwe ngesikhathi sewindi lokuzibophezela, kuwumqondo omuhle ukuhlola sonke isihlahla futhi wakhe kabusha ngezinguqulo ezihlanzekile, ngisho noma uhlelo lokusebenza lungasiphathi i-cryptocurrencies ngokuqondile.
Okufanele bakwenze onjiniyela namaqembu
Ngaphandle kokulungiswa ngokushesha, izinhlangano kufanele zamukele izilawuli ze-supply chain ukunciphisa indawo yokuhlasela endaweni ye-JavaScript kanye ne-Node.js. Izinyathelo ezibalulekile zihlanganisa:
- Ukuphina izinguqulo nokusebenzisa amafayela wokukhiya; ikhubaza izibuyekezo ezizenzakalelayo ekukhiqizeni.
- Qinisekisa amasiginesha, ama-checksums, kanye ne-provenance; sebenzisa izinqubomgomo zokubuyekeza ngaphambi kokushicilelwa.
- Nika amandla i-2FA ngokhiye bokuqinisekisa ubunikazi be-FIDO kanye ukushintshanisa amathokheni nezimfihlo obala.
- Hlanganisa izikena zokuncika kanye nama-SBOM; qapha izinguquko ezingalindelekile kumaphakheji abalulekile.
- Khiqiza kabusha izakhiwo ezihlanzekile futhi uhlehlise ngokushesha izimpawu zokuyekethisa.
Kubasebenzisi bokugcina, iseluleko siyahamba hlola ikheli kanye nenani kudivayisi Ngaphambi kokusayina, qaphela izigelekeqe ezingalindelekile futhi umise imisebenzi uma uthola ukuziphatha okungajwayelekile kumawebhusayithi avamile noma ama-dApps.
Ukulandelana kwezikhathi kanye nama-protagonists
Umphakathi uwubone umkhankaso ekuqaleni kwesonto, ngaleso sikhathi izibalo emkhakheni ezifana Ledger CTO Charles Guillemet, ixwayise ngengozi yale mitapo yolwazi ukuthi ingene cishe kunoma yisiphi isitaki se-JavaScript. Emahoreni ambalwa kamuva, amaqembu afana ne-Blockaid ne-Aikido abelane ngohlu lwamaphakheji ahlaziyiwe nama-artifact.
Umnakekeli oxhumene ne-akhawunti eyonakalisiwe ukuqinisekisile ezinkundleni zokuxhumana ukuthi uyisisulu sakhe umkhonyovu wokusetha kabusha we-2FA futhi waxolisa ngenkathi uxhumanisa ne-npm ukususa okuthunyelwe okunonya. Umhlinzeki wokubhalisa ubonise ukuthi usebenza nabacwaningi ukuvala amaphethelo avulekile futhi aqinise izilawuli.
Nakuba konke kukhomba umonakalo olinganiselwe wezomnothoIsiqephu sikwenza kucace ukuthi ukuphepha kwe-JavaScript ecosystem kuncike ekuvikeleni ubunikazi bomnakekeli, ukuphoqelela ukukhishwa kwephakheji, kanye nokuthatha ukuthi ukuncika kuyisixhumanisi esibalulekile; ukuqinisa lawa maphuzu kunciphisa amathuba okuba isigameko esifanayo sivule iminyango kubahlaseli futhi.