Koa: Security Issue. Status?

Created on 28 Jun 2017  路  10Comments  路  Source: koajs/koa

Hi,
I have just read this article: https://www.bleepingcomputer.com/news/security/52-percent-of-all-javascript-npm-packages-could-have-been-hacked-via-weak-credentials/
and since koa is directly referenced, I just wanted to know if theres an status / update on this.

Thanks!

picture juancancela

Most helpful comment

@jonathanong we should prob just do this immediately, we can always add people back after they take this seriously

picture niftylettuce on 21 Aug 2017
👍3

All 10 comments

One of the passwords with access to publish koa was literally 'password'

How can you trust a status update after this?

nathan-k picture nathan-k on 28 Jun 2017

luckily, i know that one wasn't me 馃樄

we can just do a user audit and kick out people without 2 factor in the github org and remote npm publishing rights from people who haven't been publishing

jonathanong picture jonathanong on 28 Jun 2017

@nathan-k to be fair, now is probably when you should be "least" concerned - right after an expos茅 like this. A lifejacket should be worn even in calm waters - when it's stormy, everyones knows to wear it. Weird analogy

So Koa was directly targeted in that article - they say there's no bad press, but .. well :rofl:

fl0w picture fl0w on 28 Jun 2017

Everyone should enable 2 factor.

fengmk2 picture fengmk2 on 28 Jun 2017

we can just do a user audit and kick out people without 2 factor in the github org and remote npm publishing rights from people who haven't been publishing

馃槗 Let's do this.

dead-horse picture dead-horse on 28 Jun 2017

emailed/tweeted people who don't have 2 factor auth in this org.

jonathanong picture jonathanong on 16 Jul 2017
👍1

still a few people left.

for npm permission... not sure, that's a lot more work. lol. ideally, npm has 2 factor auth

jonathanong picture jonathanong on 21 Jul 2017

i will need to spend time later to boot people off npm packages

jonathanong picture jonathanong on 17 Aug 2017
👍1

@jonathanong we should prob just do this immediately, we can always add people back after they take this seriously

niftylettuce picture niftylettuce on 21 Aug 2017
👍3

removed people. let me know if you see anyone a collaborator of a koa project that shouldn't be or hasn't been active in a while

jonathanong picture jonathanong on 30 Sep 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ke1Del picture ke1Del  路  3Comments
sibelius picture sibelius  路  3Comments
dounine picture dounine  路  4Comments
rowild picture rowild  路  4Comments
wlingke picture wlingke  路  3Comments