Why not? NPM behaves oddly when there is a public package named the same as one on a private repo, in some cases it’ll fetch the public one instead. I believe it’s called package squatting or something. They might have just been showing that this is possible during an assessment. No harm no foul here imo
> They might have just been showing that this is possible during an assessment. No harm no foul here imo
You're not supposed to leave public artifacts or test on public services during an assessment.
It's possible Cursor asked them to do so, but there's no public indication of this either. That's why I qualified my original comment. However, even if they did ask them to, it's typically not appropriate to use a separate unrelated public service (NPM) to perform the demo.
Source: I've done a handful of security assessments of public packaging indices.
It's not about being a problem or not. It's a basic responsibility when doing security research: maintaining an isolated test environment is table stakes.
How should it have been done differently? How else is the researcher supposed to know if the attack works? "Hey random company, we have no proof it's going to work but we think maybe your system, which we can't see, is vulnerable! Go waste time and check!"
Cursor team has already stated here that they did not ask Snyk to perform a security audit. I wonder if Snyk's actions are equivalent to me coming to your house late at night and then trying to open any and all doors and windows. In the name of security research. Without an invitation from you.
How else am I to validate that your house is secure?
Local DNS override, and two registries. One mirroring the relevant public NPM packages as they are, and one "normal" internal one. Make the mirror registry resolvable with the same name(s) as the real, public NPM registry.
Yeah but this is just the name of the game. How can you even stop SEO style gamification at this point? I’m sure even LLMs are vulnerable/have been trained on SEO bs. End of the day it takes an informed user. Remember back in the day? Don’t trust the internet? I think that mindset will become the main school of thought once again. Which tbh, I think maybe a good thing.
Yeah I was thinking while reading this- aren’t they actually allowed to sell that empty seat already since they are allowed to oversell? What do they want to do here? Triple dip?
That’s how open source already works by default. The difference is if an OSS tool is broken my boss doesn’t imply landing a fix is my responsibility on top of my regular job duties.
> being able to land a diff to fix the issue is awesome imo.
yes, if its a one off. but for my last project that would involve spinning up many "XFNs" (multi-team chat fests) to argue that actually they don't want to have that change because of reason x,y and z.
At which point you just give up and make a stupid fucking hack.
So much is not about engineering excellence, its about trying to get people to accept change.
I don't think so, because it was already predicted to be likely that the US Fed would lower rates by the time Japan raised theirs. The jobs report from the US sealed it.
reply