maennchen

maennchen

What if the BEAM ecosystem got hit by a worm?

One package.
One update.
A worm crawling through the BEAM ecosystem.

A dark “what if” — and how we can stop it before it’s real.

Most Liked

BartOtten

BartOtten

  1. Keep human control
    After reading the post-mortem of the npm-debacle, one takeaway stands out to me: we should avoid letting CI automatically update packages and dependencies. Keeping this as a manual step—with 2FA—adds a valuable layer of control. It’s a bit like the stock market: crashes sometimes happen when automated systems react blindly to one another’s signals.

  2. Don’t trust humans (yourself)
    Earlier this month, Josh Junon was targeted by a successful phishing attack. While we don’t have full details—such as whether a password manager was in use—it’s notable that the phishing domain (npmjs[.]help) was a clear lookalike. A good password manager would typically flag this, which raises the possibility that one wasn’t used or its warning was ignored. Both could have been prevented and, imho, should have due to the sizes of the packages install base.

  3. The way forward!
    The BEAM ecosystem currently lacks some critical safeguards that could help prevent these types of incidents. That’s why investing in the development of stronger tools and practices is not just important—it’s essential as clearly stated in the linked post.

  4. In the meantime
    In the meantime, let’s stay vigilant, support one another, and make security a shared responsibility.

Lookout fir yourself aaand each other - Jerry Springer.

maennchen

maennchen

That’s not really the thing I would like people to take from this. Having the possibility that CI’s can publish makes a lot of sense, but only if done right. (Release Environments in GH for example so that only select jobs triggered by the right people get access).

I for sure prefer a clean CI setup over a large project handing out control to a lot of people.

One other way is to force WebAuthn based 2FA for all package maintainers. WebAuthn will not work on any domain.

garrison

garrison

Why not allow CI to build/upload new package versions but then add an additional (browser) 2FA step to “publish” the new version? That way a compromised API token would be much less dangerous but you still get the benefits of CI.

Keep in mind that building on developer machines offers no security benefit here. A lot of these attacks have actually targeted developer machines. It’s only the 2FA step that matters.

A great first step would be to support WebAuthn 2FA at all.

BartOtten

BartOtten

That’s what I meant.

But you still risk chain attacks that extract secrets from the CI env. There are ways to circumvent it (Release Env’s being one of them), but if major NPM-package maintainers ‘fail’ to do it property, how much should we trust ourselves and others?

Example: only a few weeks ago I realized GH pages were generated and published for every PR. A slight oversight. Each PR could simply add JS or add an extra dependency to the installation instructions.

garrison

garrison

Well sure but building outside of CI doesn’t help with that.

All you can really do here is either carefully vendor and check your deps or keep important secrets out of CI.

The 2FA-for-publish strategy is option B there: it makes the secret (hex API key) unimportant (because it can no longer publish).

Fundamentally it seems like the lesson from this npm business is that, actually, communities catch these attacks pretty fast. It’s just that they’ve built tools which propagate code even faster.

Where Next?

Popular in Blog Posts Top

luckywatcher
Hey all! I just started a blog focused on web development in Elixir. I wrote my first article and thought I’d post it here for the whole...
New
jordiee
https://medium.com/@jpiepkow/distributed-state-is-hard-5a0d384c2f3c
New
aymanosman
The desire to produce structured logs is common. In this article, I will survey the major approaches one could take to achieve this goal ...
New
wmnnd
Here’s the story how one of the world’s first production deployments of LiveView came to be - and how trying to improve it almost caused ...
New
szajbus
Monaco is state-of-the-art browser-based code editor that powers VS Code. Let’s see how to integrate it with Phoenix LiveView using esbuild.
New
AstonJ
Just finished doing a clean install of macOS (which I highly recommend btw!) and have updated my macOS Ruby & Elixir/Erlang dev env s...
New
brainlid
Dialyzer is a tool that you’ve probably heard about in the Elixir community. You may have even used it. However, adding Dialyzer to an ex...
New
AstonJ
Elixir Blog Posts How to use this section You can post links to your blog posts either in one of the Official Blog Posts threads, or, vi...
New
gaggle
This post explores different ways to do test automation in Elixir, focusing on how to handle dependency injection — covering patterns, li...
New
mssantosdev
Our take on how to build a frontend style guide with Phoenix Components, Atomic Design and plain CSS, with focus on reusability and code ...
New

Other popular topics Top

JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1140 51847 244
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New
William
I would like to know that is there any online source for learning Phoenix Framework for building E-Commerce Store? Any advantage on build...
New
_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod -- where is this set? Thanks.
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 27727 240
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement