I’m harvesting credit card numbers and passwords from your site (2018)
medium.comFor those interested, the original discussion from 2018: https://news.ycombinator.com/item?id=16084575
It's worth noting that a takeaway message from this is "A strict CSP policy would completely prevent this attack, as long as Chrome supports the `prefetch-src` directive."
Unfortunately the ticket for implementing that (or taking the implementation out from behind its flag) is still open and has just had its 4th birthday.
https://bugs.chromium.org/p/chromium/issues/detail?id=801561
This is a hard problem to solve. It seems to me the best way to mitigate most of the issues is to disallow developers to upload the built artifacts and instead have the repositories build them. That way, at least you can guarantee the source corresponds to the hosted artifacts. On the other hand, this now puts a huge burden on the package hosters to provide the infrastructure to compile everything. And forget about any oddball packages that require esoteric or picky tools
Yeah that makes me wonder how many of such real bombs are quietly deployed in npm/maven setups all over the world...