09:24 <beneroth> hi all

09:49 <Regenaxer> Hi beneroth, welcome back!

09:50 <beneroth> Hey Regenaxer, thank you :)

09:52 <Regenaxer> :)

09:56 <Nistur> mornin' all

09:56 <Regenaxer> Hi Nistur

09:56 <beneroth> morning Nistu'

09:56 <Nistur> o/

21:08 <aw-> rick42: hey, i was on vacation, sorry ;)

21:13 <beneroth> hey aw-

21:13 <aw-> hey bene

21:13 <beneroth> [OT] NPM strikes again: https://github.com/dominictarr/event-stream/issues/116

21:13 <beneroth> "he emailed me and said he wanted to maintain the module, so I gave it to him. I don't get any thing from maintaining this module, and I don't even use it anymore, and havn't for years."

21:14 <beneroth> maintainer gives ownership to new guy, new guy injects malware :)

21:15 <Regenaxer> Oh, aw-! WB

21:16 <beneroth> https://github.com/dominictarr/event-stream/network/dependents

21:16 <beneroth> hey Regenaxer :)

21:16 <aw-> hi

21:16 <aw-> thanks

21:21 <beneroth> "part in the original report where it stated that the malicious code was only present in the minified version of the package? Seems there is an underlying issue of npm not enforcing deterministic minification or something along those lines here."

21:21 <beneroth> so... despite the social-political dimension of problems like this... I would blame NPM for that :)

21:27 <aw-> wow

21:27 <beneroth> maybe interesting for tankf33der too, the injected malware is apparently modifying the behaviour when used in combination with crypto code

21:28 <xkapastel> woww

21:28 <xkapastel> another attack like this?

21:28 <xkapastel> is npm even safe to use

21:28 <xkapastel> i guess it really isn't. they need to rethink the model

21:29 <beneroth> npm is not safe to use!

21:29 <beneroth> that was obvious years ago.

21:30 <beneroth> NPM itself (the company, the repo) had 2 (or was it 3?) incidents which allowed undetected placing of malware (without having to social-engineer the original owner to hand over ownership/maintainer-rights)

21:30 <beneroth> they promised to fix their process and add controls after each case, which they obviously didn't do

21:31 <beneroth> this case is a bit more special, as the maintainer/owner-rights got handed to a bad actor - but still, that the guy managed to put the malware only in the minified version of the code (while the non-minified-code looks good) I would see as failure of NPM.

21:33 <beneroth> obviously the minified version is usually used in production code, and the non-minified version for development and debugging.

21:34 <beneroth> https://www.npmjs.com/package/event-stream

21:34 <beneroth> just about 2 million downloads a week and 1'584 package depending on this package

21:34 <beneroth> hahaha

21:35 <aw-> haven't checked news in a few weeks... why is Bitcoin so low now?

21:35 <beneroth> "the package attempts to steal Bitcoin from an installed Bitcoin wallet"

21:35 <beneroth> aw-, no idea

21:37 <Regenaxer> It is only relevant for the two bitcoin-cash forks

21:38 <Regenaxer> And not steal, but double-spend

21:38 <Regenaxer> the two forks are in conflict, a kind of war

21:40 <beneroth> Regenaxer, I was talking about the malware in the NPM repo.

21:40 <Regenaxer> ah, ok

21:40 <beneroth> it's (yet?) unrelated to current bitcoin value, I believe

21:40 <aw-> so, nobody knows why the currency fluctuates that way?

21:40 <Regenaxer> aw talked about attempts to steal Bitcoin

21:40 <Regenaxer> general loss of trust because of that

21:41 <aw-> oh ok

21:42 <beneroth> maybe course correction, in recent times (weeks, months, dunno) multiple bitcoin course manipulations came to light afaik

21:42 <beneroth> I don't have any sources for that at hand right now

21:43 <Regenaxer> I'm not sure too