Scan your projects for crossenv and other malicious npm packages

Links, code

Dominik Kundel, writing for the Twilio Blog:

On August 1st, Oscar Bolmsten tweeted about how he found a malicious npm package called crossenv that scans for environment variables and POSTs them to a server.

This is particularly dangerous considering that you might have secret credentials for different services stored in your environment variables.

Apparently it’s also not limited to just crossenv, but a series of packages — all of them are names of popular modules with small typos such as missing hyphens.

Check your project for malicious packages

These packages have been taken down by npm, but since credential theft happens upon installation, you should check if you have installed one of them. Ivan Akulov was so kind to compose and publish a list of (at least some of) these malicious packages on his blog. He also wrote a small one-liner that you can execute to check if these packages are installed in your current project:

npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"

Search for infected projects on Mac/Linux

If you are like me a person who regularly develops Node.js applications you might have a series of projects and not just one project to check for. I extended Ivan’s command for that reason using find and xargs to actually scan all subdirectories of the folder that contains my projects and execute Ivan’s command there. You can run it by simply copy pasting this command into your command-line:

find . -type d -maxdepth 4 -name node_modules -print0 | xargs -0 -L1 sh -c 'cd "$0/.." && pwd && npm ls 2>/dev/null | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"'

Search for infected projects on Windows

That command works when you are on Mac or Linux.. Corey Weathers wrote a small PowerShell script for that will do the same thing on Windows:

Get-ChildItem $directory -Directory -Recurse -Include "node_modules" | foreach { cd $_.FullName; cd ..; npm ls | Select-String -Pattern "babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter"} -ErrorAction Ignore

What if a malicious package was detected?

You should immediately rotate all secrets that you have stored in the environment variables. If it’s a project that is shared with other folks don’t forget to alert them to do the same. Don’t forget that Continuous Integration systems and cloud hosts like to use environment variables as well. So if you shipped one of these projects into production or used a system that uses environment variables don’t forget to rotate them there as well.

Read the rest of the original post for more information, I wanted to share this here so you can check your code for any packages that shouldn't be there.

FreshBooks’ Mike McDerment says “building your own competitor” is effective way to solve business problems

Links, On Startups

Amira Zubairi, writing for BetaKit:

At the latest FinTechTO, Mike McDerment, CEO and co-founder of FreshBooks, discussed the challenges teams face when re-platforming within a software company. He also offered tips on how entrepreneurs can successfully execute a redesign.

McDerment kicked off his presentation by giving an overview of how he co-founded FreshBooks, a cloud-based accounting platform that allows users to send invoices, track time, manage receipts, expenses, and accept credit cards.

McDerment said after raising a $30 million funding round back in July 2014, he began to think about how the company would keep up with technological changes over next decade.

“What we actually decided instead was that we needed to re-platform the company, like the whole product, go build a whole new thing.”

“In the back of my mind, I was like, are we really set up for the next 10 years?” said McDerment. “Since we started the company, all the technology had changed…it’s a very different world than, say, 2013, from a technology standpoint.”

At this point, McDerment said he was thinking of ways to transform or improve FreshBooks so that it’d be “set up to win in five or 10 years.” While he could have gone the route of “keep doing what you’re doing,” McDerment decided to take a different path.

“What we actually decided instead was that we needed to re-platform the company, like the whole product, go build a whole new thing,” said McDerment, adding that this was “a stupid move” for a couple of reasons.

“Reasons why you don’t want to re-platform include competition…may catch up while you’re doing it,” said McDerment. “I promise you, it’s going to take longer than you think…you could go through all the trouble and you don’t necessarily end up with a better product in the end.”

Along with these reasons, McDerment stressed that re-platforming means that companies often run the risk of undermining their customers’ trust, which in turn, makes it harder for engineering teams to take the risk of entirely re-building a product.

Speaking about his own experience, McDerment said when FreshBooks’ team decided to redesign, he had to find a way to do this and “not lose out competitively, [and] get the team to a place where they could take some of these really big risks.”

In the end, FreshBooks created a new company with a new name, URL, and product, and have it compete with FreshBooks’ existing products. McDerment said competing with themselves via a separate company allowed FreshBooks to not only keep their customers’ trust, but also test out a new platform, collect data, and determine whether they had created something better or not.

For entrepreneurs who may be struggling to build their companies, McDerment ended his presentation with a few words of advice.

“Building your own competitor is a novel way to solve a hard business problem,” said McDerment. “I’d just encourage you to believe that there is a way you can do this. It may not be obvious, it may not be logical, but there is a path.”

I've always respected Mike and what they are doing at freshbooks, we've used them for all our book keeping here for years.

You can watch the full presentation below:

Introducing outgoing webhooks

Inside Flybase, code

Today we’re announcing outgoing webhooks - a long awaited feature that will notify your websites and apps whenever data changes occur.

This opens up a new range of possible integrations

Adding outgoing webhooks means you can get notified directly in slack or elsewhere when new records are added, when records are updated or deleted.

To create an outgoing webhook, just click webhooks in the dropdown:

Then edit the form:

Hit Save and when you save a new record with our API, we will send notifications to your webhook instantly.

We've got some options for how we send the data, you can have it sent using a standard form post, send as a json string using payload as the containing variable, or just send as a JSON request.

If you are sending to Slack, we automatically detect the slack url and format it accordingly so it shows up nice looking.

All outgoing webhook notifications also include two extra fields, one for event to say what happened (new record, updated record, deleted record) and a url to the record in your dashboard.

You can delete the webhook at anytime from your webhooks management page.

Jason Fried on One Door at a Time

Links, On Startups

Entrepreneurs are told to go big or go home. Stop obsessing over scale, and perfect the basics instead.


But now, entrepreneurship seems like a sport. And the score depends on scale. How big can you get? How fast can you get big? How much power can you amass in the shortest possible time?

We've prided ourselves on staying mostly small, it lets us focus on things that might fall through the cracks other wise.

Page 1 of 49 Next