An extremely primitive supply-chain attack is being carried out for profit by a “researcher” on Node Package Manager (npm) in three languages. After finding a public reference to a package name, a squat is attempted:

During the second half of 2020… we were able to automatically scan millions of domains belonging to the targeted companies and extract hundreds of additional javascript package names which had not yet been claimed on the npm registry. I then uploaded my code to package hosting services under all the found names and waited for callbacks.

They rate success in terms of the easy money paid to them by targets offering a “bounty”, as well as quantity for potential squats:

…logging the username, hostname, and current path of each unique installation. Along with the external IPs… [squatted] more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations. Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages…

They repeatedly pat themselves on the back for getting money out of people for this and they exhibit a lot of “social entry” interest in their “shout-out” section, which thanks “bounty programs, making it possible for us to spend time chasing ideas”…

Someone needs to say “damn Florida, water you even doing right now” (puns intended) given the latest news.

And I don’t say this lightly, despite the puns, given Florida’s awful history of “killing zones” in water.

This blog post title could be talking about Facebook’s “business” relationship with Cambridge Analytica being so obviously toxic to humanity, or it could be talking about Flint Michigan being a foreshadowing.

The reader would be forgiven for assuming either of those stories are linked here to a metaphor of poisoned content, misuse of controls, and the need for better regulation.

However, this is a non-metaphorical story. A hacker literally attempted to bypass regulations, change control of levels of known harmful contents, to flow in a massive content delivery system — water.

“The hacker changed the sodium hydroxide from about one hundred parts per million, to 11,100 parts per million,” Gualtieri said, adding that these were “dangerous” levels. When asked if this should be considered an attempt at bioterrorism, Gualtieri said, “What it is is someone hacked into the system not just once but twice … opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance. So, you label it however you want, those are the facts.”

So now when clubhouse, or Uber or some other anti-regulatory tech darling says they want to be the next water, be sure to ask them to explain this story and how they’d handle it.

There are a couple obvious integrity questions being floated (pun not intended) here.

First, why could the amount go up more than a small percentage, for example? Adding a bunch of zeros to 100 (or 1s, from 100 to 11100) sounds like this was a lazy attack to overflow (pun not intended) the input field in more ways than one.

Second, what’s this remote access direct into changing levels all about? I can maybe understand remote access to something with limited capabilities (see point one) but total control with no multi-factor authentication (MFA)? Everyone knows that is just wrong, mismanagement of basic plant safety. Update: TeamViewer has a history of this, where users report losing control even with MFA.

Third, multiple entry? Coming back a second time means the platform admins allowed a hacker to lye in wait (ok, pun intended because sodium hydroxide is lye, get it?). I just wanted to say lye in wait. But seriously, what else did they change and can the admins even tell or should the whole infrastructure be treated (pun not intended) as contaminated?