Security

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com) 36

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.
Bug

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com) 124

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.
Security

Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package (bleepingcomputer.com) 88

Catalin Cimpanu, reporting for BleepingComputer: The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular -- albeit deprecated -- JavaScript package. The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team -- which analyzed this package earlier today after reports from the npm community -- says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library.
Bug

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com) 256

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.
Programming

Which JavaScript Framework is the Most Popular? (infoworld.com) 161

An anonymous reader quotes InfoWorld's report on which JavaScript frameworks are the most widely-used: In a study of 28-day download cycles for front-end JavaScript frameworks, NPM, which oversees the popular JavaScript package registry, found that React has been on a steady upward trajectory; it now accounts for about 0.05 percent of the registry's 13 billion downloads per month as of the fourth quarter of 2017. Web developers as well as desktop and mobile developers are adopting the library and it has spawned an ecosystem of related packages. Preact, a lightweight alternative to React, also has seen growth and could become a force in the future.

On the down side, Backbone, which accounted for almost 0.1 percent of all downloads in 2013, now comprises only about 0.005 percent of downloads (about 750,000 per month). Backbone has declined steeply but is kept afloat by the long shelf life of projects using it, NPM reasoned. The jQuery JavaScript library also remains popular but has experienced decreasing interest. Angular, the Google-developed JavaScript framework, was the second-most-popular framework behind React, when combining the original Angular 1.x with the rewritten Angular 2.x. Version 1.x was at about 0.0125 percent of downloads last month while version 2.x was at about 0.02 percent. Still, Angular as a whole is showing just modest growth.

They also report that the four JavaScript frameworks with the fastest growth rates for 2017 were Preact, Vue, React, and Ember.

But for back end services written in JavaScript, npm reports that Express "is the overwhelmingly dominant solution... The next four biggest frameworks are so small relative to Express that it's hard to even see them."
Programming

Erroneous 'Spam' Flag Affected 102 npm Packages (npmjs.org) 84

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.

They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."
Programming

'The State of JavaScript Frameworks, 2017' (npmjs.com) 114

An anonymous reader shares some new statistics from Laurie Voss, co-founder and COO of npm (the package manager/software registry for JavaScript): The sum of all the package downloads in the npm Registry shows that the npm ecosystem continues to experience explosive, continuous growth... Right now, we estimate about 75% of all JavaScript developers use npm, and that number is rising quickly to reach 100%. We believe there are about 10 million npm users right now.
The first post in a three-part series graphs the popularity and growth rate for seven JavaScript frameworks.
  • Preact is tiny but the fastest-growing.
  • Vue is also very fast growing and neck and neck with Ember, Angular and Backbone
  • Ember has grown more popular in the last 12 months.
  • Angular and Backbone have both declined in popularity.
  • jQuery remains hugely popular but decreasingly so.
  • React is both huge and very fast-growing for its size.

Communications

Messaging-App Kik's Big Bet On Digital Coin Offering (wsj.com) 25

cdreimer writes: According to a report from The Wall Street Journal (Warning: source may be paywalled, alternative source), messaging app Kik is planning a $125 million coin offering to tap into the highly speculative cyptrocurrency market. Kik made the news last year by getting the JavaScript registry, npm, to give them the "kik" package name, prompting the developer to remove all his packages, including the popular "pad-left" package, and breaking thousands of JavaScript project for a week. From the report: "Messaging-app operator Kik Interactive said Tuesday that it is aiming to raise $125 million through a so-called initial coin offering in September, one of the first established companies to step into the mushrooming but highly speculative market for these digital tokens. In doing so, Kik, which has encountered growth issues, is trying to tap into the surging interest in cryptocurrencies and digital tokens associated with them. It also is experimenting with a potential way for its investors to essentially cash out of the company without actually selling their equity. The market for digital coins has exploded in 2017, with more than 100 firms raising more than $1.7 billion, up from 64 firms raising about $103 million in 2016, according to research firm Smith & Crown. Most of these firms, though, are startups and in many cases don't have a working product. In that, Kik is different. Its messaging app is popular among teens in Canada and the U.S. Kik also allows developers to publish games and services within the platform, a hook meant to keep users on the app for longer."
Stats

Are There More Developers Than We Think? (redmonk.com) 191

JavaScript's npm package manager reports 4 million users, doubling every year, leading to an interesting question from tech industry analyst James Governor: Just how many developers are there out there? GitHub is very well placed to know, given it's where (so much) of that development happens today. It has telemetry-based numbers, with their own skew of course, but based on usage rather than surveys or estimates. According to GitHub CEO Chris Wanstrath, "We see 20 million professional devs in the world as an estimate, from research companies. Well we have 21 million [active] users -- we can't have more users than the entire industry"...

If Github has 21 million active users, Wanstrath is right that current estimates of the size of the developer population must be far too low... Are we under-counting China, for example, given its firewalls? India continues to crank out developers at an astonishing rate. Meanwhile Africa is set for crazy growth too... You certainly can't just count computer science graduates or software industry employees anymore. These days you can't even be an astronomer without learning code, and that's going to be true of all scientific disciplines.

The analyst attributes the increasing number of developers to "the availability, accessibility and affordability of tools and learning," adding "It's pretty amazing to think that GitHub hit 5 million users in 2012, and is now at 20 million." As for the total number of all developers, he offers his own estimate at the end of the essay. "My wild assed guess would be more like 35 million."
Programming

Slashdot's Interview With Swift Creator Chris Lattner 85

You asked, he answered! The creator of Apple's Swift programming language (and a self-described "long-time reader/fan of Slashdot") stopped by on his way to a new job at Tesla just to field questions from Slashdot readers. Read on for Chris's answers...
Open Source

Node.js's npm Is Now The Largest Package Registry in the World (linux.com) 133

Linux.com highlights some interesting statistics about npm, the package manager for Node.js.
  • "At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world."
  • In the preceding four weeks, users installed 18 billion packages.
  • This translates into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
  • ping.npmjs.com "shows that the registry's services offer a 99.999 uptime."
  • Every week roughly 160 people publish their first package in the registry

But what about the incident last year where a developer suddenly pulled all their modules and broke thousands of dependent projects? npm's Ashley Williams "admitted that the left-pad debacle happened because of naive policies at npm. Since, the npm team have devised new policies, the main one being that you are only allowed to unpublish a package within 24 hours of publishing it." And their new dissociate and deprecate policy allows developers to mark packages as "unmaintained" without erasing them from the registry.


Open Source

New Attack Discovered On Node.js Package Manager npm (softpedia.com) 90

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.
Programming

How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk) 480

An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
Programming

A Bechdel Test For Programmers? 522

Nerval's Lobster writes In order for a movie or television show to pass the Bechdel Test (named after cartoonist and MacArthur genius Alison Bechdel), it must feature two female characters, have those two characters talk to one another, and have those characters talk to one another about something other than a man. A lot of movies and shows don't pass. How would programming culture fare if subjected to a similar test? One tech firm, 18F, decided to find out after seeing a tweet from Laurie Voss, CTO of npm, which explained the parameters of a modified Bechdel Test. According to Voss, a project that passes the test must feature at least one function written by a woman developer, that calls a function written by another woman developer. 'The conversation started with us quickly listing the projects that passed the Bechdel coding test, but then shifted after one of our devs then raised a good point,' read 18F's blog posting on the experiment. 'She said some of our projects had lots of female devs, but did not pass the test as defined.' For example, some custom languages don't have functions, which means a project built using those languages would fail even if written by women. Nonetheless, both startups and larger companies could find the modified Bechdel Test a useful tool for opening up a discussion about gender balance within engineering and development teams.
Image

Book Review: Sams Teach Yourself Node.js In 24 Hours Screenshot-sm 112

Michael Ross writes "Since its introduction in 1994, JavaScript has largely been utilized within web browsers, which limited JavaScript programmers to client-side development. Yet with the recent introduction of Node.js, those programmers can leverage their skills and experience for server-side efforts. Node.js is an event-based framework for creating network applications — particularly those for the Web. Anyone interested in learning this relatively new technology can begin with one of numerous resources, including Sams Teach Yourself Node.js in 24 Hours." Keep reading for the rest of Michael's review.
Image

Book Review: CoffeeScript: Accelerated JavaScript Development Screenshot-sm 100

Michael J. Ross writes "For decades, programmers have written computer code in one language, and then programmatically translated that code into another, lower-level form (typically machine code that can be run directly by a microprocessor, or some sort of bytecode that can be interpreted by a virtual machine). For instance, source code written in C or C++ is compiled and assembled into machine code. In web programming, there are emerging languages and other tools for translating code into JavaScript. For instance, Google Web Toolkit allows the programmer to create web apps in Java. The latest addition to this category is CoffeeScript, a language that can be compiled into JavaScript, and is intended to reduce source code size and clutter by incorporating some of the best operators from other Web scripting languages, particularly Ruby. It is also the topic of a new tutorial, CoffeeScript: Accelerated JavaScript Development." Read on to learn what Michael thinks of this book.

Slashdot Top Deals