Ask HN: 他们想黑我吗?

1作者: dgrcode6 个月前
我正在经历一个引起了一些警惕的互动,目前我确信这是一次黑客攻击尝试。但我认为在这里提问可以让我从局外人的角度获得更好的看法。以下是事件的经过: 有人在领英上联系我,声称有全职和兼职职位与我的个人资料相符。我说我对兼职工作可能感兴趣,他们立刻回复说每周工作15-20小时,月薪4000美元。 我回复说这只是我时薪的一半,他们回复说客户几乎愿意接受,但想先和我见面。第一个警惕信号:对加倍报价没有异议。 我接受了并与他们的技术人员预约了时间。第二个警惕信号:日历上几乎所有时间都可用。 他们告诉我需要在会议前完成一项任务,并提供了一个微软团队聊天,让我和他们团队的人讨论任务。 聊天中的人给我发了两个问题的截图。我问他们是否有代码在 GitHub 上,他们回复说“GitHub?”。第三个警惕信号。 然后同一个人给我发了一个zip文件,并询问我的 Node 版本。第四个警惕信号。 此时我已开始怀疑,并且不愿意在我的机器上运行该代码。我在一台旧机器上安装了全新的 Linux 系统并下载了代码。我让 Cursor 查找任何可疑之处,唯一发现的是 package.json 和 package-lock.json 之间的依赖关系不匹配。我检查了 package-lock 中存在的包 `json-map-source`,该包在 https://security.snyk.io/package/npm/json-map-source 上被标记为恶意包。这个包在18天前从 npm 上被移除。重大警惕信号。 我检查了 npm 对这种不匹配的解决方案,我发现它会安装 `json-mappings`。我在 npm 上检查了该包,该包是18天前创建的,第一个也是唯一一个版本是2.3.8,恰好与被标记为恶意包的 `json-map-source` 的版本相同。巨大的警惕信号。 此外,该包不在 Git 上,它是由一个临时邮箱上传的,npm 上显示的 README 将 yarn 安装命令列为 `yarn add json-map-source`(恶意包)。在代码中,该包只是被加载并作为中间件传递给一个 express 应用程序。该包有 `sqlite3` 作为原生依赖,它会编译原生代码。 在我写这篇消息的时候,我真的看不出这除了是黑客攻击尝试之外还能是什么,但我很乐意听取其他人的意见。尤其是那些比我更了解安全的人,这很容易。 谢谢!
查看原文
I&#x27;m in the middle of an interaction that has raised a few red flags, and at this point I&#x27;m confident this is part of hacking attempt. But I thought asking here could give me a better perspective from an outsider. Here is the sequence of events:<p>Someone reaches out in Linkedin claiming to have full time and part time roles that match my profile. I say I could be interested in part time work and they immediately reply that there&#x27;s a 4k monthly salary offer for 15-20 hours per week.<p>I reply that&#x27;s half my hourly rate and they reply the client is almost willing to accept but wants to meet with me first. 1st red flag: no problem with doubling the offer<p>I accept and book a time with their technical person. 2nd red flag: the calendar had pretty much full availability<p>They tell me to complete a task before the meeting and provide a Microsoft Teams chat with someone from their team to talk about the task.<p>The person in the chat sends me screenshot of two issues. I ask if they have the code in github, to which they replied &quot;github?&quot;. 3rd red flag<p>Then the same parson sends me a zip file and ask about my node version. 4th red flag<p>At this point I&#x27;m already suspicious and not willing to run that code on my machine. I get a fresh linux install on an old machine and download the code. I asked Cursor to find anything suspicious, and the only thing was a dependency mismatch between package.json and package-lock.json. I check the package present in package-lock, `json-map-source`, which is marked as a malicious package on https:&#x2F;&#x2F;security.snyk.io&#x2F;package&#x2F;npm&#x2F;json-map-source. This package was removed from npm 18 days ago. Big red flag.<p>I check what&#x27;s npm&#x27;s resolution of that mismatch, and I find it would install `json-mappings`. I check on npm this package was created 18 days ago, and the first and only version is 2.3.8, which happens to be the same version flagged as malicious for the package `json-map-source`. Massive red flag<p>Furthermore, the package is not on git, it&#x27;s uploaded by a throwaway email, and the README that is shown in npm list the yarn install command as `yarn add json-map-source` (the malicious package). In the code the package is just loaded and passed as middleware to an express app. The package has `sqlite3` as native dependency, which compiles native code.<p>As I&#x27;m writing this message I really don&#x27;t see how this could be something other than a hack attempt, but I&#x27;d love to have someone else&#x27;s input on this. Especially from people more knowledgeable about security than me, which is easy.<p>Thanks!