I agree with much of what you said here, but is it really just about the package manager? If I had specified this repo's git url with a specific version number or sha directly in my package.json, the outcome would be just about the same. And so that's not really an end-run around version control at that point. Even with npm out of the picture the problem is still there.
> If I had specified this repo's git url with a specific version number or sha directly in my package.json[…] that's not really an end-run around version control at that point
Yes it is. Git doesn't operate based on package.json.
You're still trying to devise a scheme where, instead of Git tracking the source code of what you're building and deploying and/or turning into a release, you're excluding parts of that content from Git's purview. That's doing an end-run around the VCS.
Well, either way, the point stands that checking this dependency into source control would not have made any difference since it was malicious all along.
This is an "all else being equal" argument except without saying so explicitly, and it falls apart if that doesn't hold.
Your claim is that no matter whether dependencies' source code is acquired by git-clone or npm-install, then everything related to this attack unfolds exactly the same as it did in the timeline where we live. But as I said in my first comment in this thread the effect of going along with The NPM Way changes how people interact with third-party code.
My contention is that in the universe where dependencies get checked into version control, this is one package that (assuming it ever got created at all) would have been less successful in conscripting others to choose it as a dependency, and that wrt the remaining instances if any where it was approved to be checked in, the question of what effect the mere act of checking it into version control and the fact of its existing there has on its being discovered sooner is non-zero.
The OS isn't allowing anything as far as I can see. It's a fork of a library that allows you to use the WhatsApp API, it actually works, it also just happen to also harvest your credentials and messages.
Should the OS prevent you from doing API calls to WhatsApps servers? What about the actual library this is based on, should that be blocked as well?
The root of the problem is that users and developers may have legitimate reasons to want API access to a service, like WhatsApp. That just comes with a level of risk. Especially in a world where we're not use to auditing our dependencies. The only sort of maybe solution I can see is the operating system prompting you when an application want's to make an outgoing request, but in this case the messages might just go to AWS and an S3 bucket, or it could send them via WhatsApp to the attack, how would you spot that in the operating system, without built in knowledge of WhatsApp specifically?
This is an npm package that allows you to interact with WhatsApp using their API. The OS wouldn’t prevent this as it’s not interacting with your WhatsApp on your machine, but rather logging you in via a skillfully made 3rd party interface, that unfortunately happens to also be evil.
