arduino-ide-extension marked as malware #3487
Comments
|
Hey @rhaidiz, the npm team is 100% the right team to contact. If I had to guess, I think what may have happened is that someone uploaded a package named The advisory itself only applies to the package |
|
Thank you @darakian , my guess as well. However, now we are running in the issue of having NPM support has answered by showing that the NPM registry (https://www.npmjs.com/package/arduino-ide-extension) contains now a version "0.0.1-security" which is used as security placeholder. My guess is that now the GitHub advisory should be updated to reflect that only versions >= 0 and < 0.0.1-security are affected, so to now disrupt when running P.S.: I've updated the title of the issue to correct the spelling of package. Correct spelling is "arduino-ide-extension" and not "arduino-ide-extention" |
rhaidiz
changed the title
What is it matching against though? Is there some other npm package with that name from a private registry or something you're using? On the face of it this seems like a yarn bug to me as our data is quite clear that we're talking about the package with that name on npmjs.com I'm not sure changing the versions would be much more than a hacky fix 😞 |
|
I see, it is a bit confusing since the output from Let me see if I got this right: the advisories on GitHub are published based on information that npmjs.com is providing to GitHub, so npmjs.com doesn't have ad advisories database, they just use GitHub as a publisher, but any issue with the advisory itself should be discussed with npmjs.com. Moreover, whatever check is performed by |
|
I am not familiar with how yarn uses our advisory data, but if they are raising the alert to you then I would guess that they are either finding the malware package in your dependency tree or they are mismatching on something. Hence I would raise the issue with them. NPM used to have their own database but merged into us back in 2021 |
|
Shouldn't this advisory be updated anyway? BTW I've contacted NPM support and they are telling me that changes to an advisory should be requested here and not to them. |
Indeed. We do that so that anyone who had downloaded the malware package prior to it being pulled will get an alert. So, no I don't think we want to update the advisory.
Correct. If the package was only ever malware then that is the desired behavior. |
@darakian, could you please explain why I get the malware warning when my private npm package happens to have the Isn't it a false positive warning when I run |
I can. The npm cli does not distinguish packages based on source during alert delivery. There's an rfc open for that to change you can view here |
|
It’s probably best anyways to use a scope, even if it’s internal-only, to avoid confusion. |
|
Hey all! Doesn't seem like there's much more we can do here as we are unable to change npm malware advisories. Any last questions before I close this issue out? |
|
Hey @KateCatlin and @darakian apologies for a late reply, I've been out of office for a few days and I'm now back. Thank you all for you patient and support on the matter. |
|
@rhaidiz happy to help and sorry for the back and forth. Glad you're happy with the outcome and thank you for caring enough to take the time to open this issue as well :) Feel free to drop by anytime with any other comments/criticisms as well. Hopefully we can do more for you next time 😉 |
Hello, this is the Arduino Security Team. We have recently came across an advisory published on GitHub (GHSA-7884-8cw4-qpgx) that is reporting the
arduino-ide-extentionas containing malware.The package is part of a bigger project called Arduino IDE 2.x (https://github.com/arduino/arduino-ide) and has never been listed in the npm registry.
We believe this to be a part of an attempt from a threat actor to conduct some kind of dependency confusion on our repo.
We have already contacted NPM to let them know of the issue, we would also appreciated it if you could help us in removing this advisory, thanks.
The text was updated successfully, but these errors were encountered: