Open source information / npm /
text

Qingyunian 2 pirated resources were uploaded to npm, resulting in npmmirror having to suspend the unpkg service

Source: OSCHINA
Edit: game
2024-05-19 16:21:00
thirty-eight

The core developers of the npmmirror mirror (formerly CNPM) are on the social platform express Someone used the mechanism of the npm package to move the whole set of HD pirated resources of the newly launched Qingyunian 2 to npmmirror.

Boy, this is the image station hosting open source software packages as the CDN for video distribution.

Therefore, developers reluctantly expressed that, Npmmirror is currently paused Unpkg's [Add File] service will no longer parse the new package version , but the stock will remain, so it will not affect the user's current business.

Unpkg Introduction

Unpkg is a fast, global, free public npm package CDN, It allows you to access packages on npm through URL It is supported by Cloudflare and can provide fast download speed and cache service.

With unpkg, you can easily include JavaScript libraries, CSS frameworks, etc. in your web pages without downloading them to your server.

For example, if you want to use jQuery in your webpage, you can refer to it through the link provided by unpkg:

 <script src=" https://unpkg.com/jquery @3.5.1/dist/jquery.min.js"></script>

This link will point to the CDN address of jQuery 3.5.1. You can replace the version number as needed.

Unpkg also supports access to package content through paths, such as:

 <link href=" https://unpkg.com/bootstrap @4.5.0/dist/css/bootstrap.min.css" rel="stylesheet">

This link will point to the CSS file of Bootstrap 4.5.0.

Using unpkg can greatly simplify resource management in front-end development, because it provides a simple and fast way to introduce third-party libraries.

Taking the above "Celebrating the Second Anniversary" as an example, the usual method of the ash industry gang that collects wool is to cut the pirated video into several smaller video files (of course, they will "hide" the video files with the Sao operation, which will not be expanded here), and upload them to npm
( https://www.npmjs.com/package/lyq2/v/1.1.7-1 )And then reference them as "packages".

In addition to video files, the gang uploaded m3u8 files to unpkg( https://unpkg.com/lyq2 @1.1.7-1/playlist.m3u8 )As an index.

With "video source file" and "index", it can be played online on video websites.

M3U8 is a streaming media format gradually widely used in recent years. Its full name is UTF-8 encoded M3U file. M3U, Media Playlist is an index plain text file, which is mainly used to record the list of audio and video blocks.

When we open an M3U file, the playback software does not play the file directly, but finds the network address of the corresponding audio and video file according to the index in the file for online playback.

As the mirror station of npmjs.com, npmmirror will synchronize the full image of npm to the Chinese server (Alibaba Cloud is used), which includes the above pirated resources. With domestic servers, the speed is naturally faster

Of course, this is not the first time a pirate gang has done such a thing. Last year, foreign security research teams introduced the case of npm abuse - they found that 748 software packages hosted in npm are actually video files (outside the Wulin).

Extended Reading

Expand to read the full text

Related Links

The news on this website is prohibited to be reproduced without authorization. Violators will be investigated for relevant legal responsibilities according to law. For authorization, please contact: oscbianji#oschina.cn

Title: Qingyunian 2 pirated resources were uploaded to npm, resulting in npmmirror having to suspend the unpkg service

Address: https://www.oschina.net/news/293169/npmmirror-lyq2

Click to join the discussion 🔥 (38) Post and join the discussion 🔥
This wonderful review
Bright
Bright
What a fool! I killed myself. How can people deal with me later.
2024-05-19 23:25
nineteen fabulous
report
xyz990
xyz990
When foreigners and the FBI poisoned open source projects, why didn't you come forward? With such high quality, the United States should be very popular with other countries, right?
2024-05-20 16:14
five fabulous
report
Youth touches the time
Youth touches the time
This is a rat dung, which has not only damaged the image of China, but also affected the entire ecosystem.
2024-05-20 09:16
five fabulous
report
xyz990
xyz990
2023/08/28 10:36
On the other side of the ocean, information comments were published:
How do you make such remarks? My last account has been blocked. In China, don't say bad. If you can't see it, you should suggest that you run it
Digital Guangdong's Apology Statement on CEC-IDE

2023/02/07 09:19
On the other side of the ocean, information comments were published:
The American company is awesome, but the domestic market is still scrambling to buy vegetables. He retired at 35
Google launches an AI product competing with ChatGPT: Bard
2024-05-20 16:19
four fabulous
report
Whisper the wind over the horizon
Whisper the wind over the horizon
I also despise this kind of behavior, but what kind of brain circuit does it take to rise to the national level?
2024-05-20 13:19
four fabulous
report

Hot content

More highlights
Top 10 distinctive highlights of the new ORM mybatis mp
The first anniversary of open source, the new version of Qinghua was released
MooTool 1.6.1 is released, and developers always have small tools
Jboot v4.1.6 release, based on JFinal microservice framework
Blazork8s released a new version, updated AI execution command logic, and added multiple AI functions
Kangaroo database tool v5.0 has been released
Open Source Daily | Out of the box ChatTTS installation package; Scaling Law is an empirical formula; Two baby dads AI revive old toys; Academicians of the Chinese Academy of Engineering talk about AI; The story of autonomous kernel MCU is hard to tell? TikTok "American Special Edition" recommended algorithm
SQLE 3.2405.0 Release
Maximizing the Effective Throughput of LLM Serving
State fine-tuning, PointRWKV, Chinese documents online... The latest news of RWKV community in May is coming!
Java AI has a bright future
Databases that do not need data
This PHP application server looks a bit trendy! FrankenPHP
The Code R&D management platform - the innovative realization of the integration of daily reports and working hours
The easy-to-use ORM framework mybatis-mp 1.5.3 was released
GRPC 1.64.1 release, cross language RPC framework
Malware is rampant in pirated Microsoft Office
Bun's May update: performance improvement and memory optimization
Fedora Traditional Artistic Energy - Anaconda, the default web UI installer, skipped the ticket again
PDM -- Modern Python Package Manager
Selective compilation of xmake project description writing
Use xmake to describe the project elegantly
Use of thread local storage tls
Compile swift code with xmake
The use of vector container in tbox
Use of custom scripts for advanced features
Random thoughts on the later development of xmake
Xmake builder demo
Xmake project description syntax update
Release xmake v2.0.1
Xmake adds automatic header file dependency detection support
Record the discovery and analysis of bugs in boost schedule switching
How to quickly build a simple program
Option binding of xmake advanced features
Custom task task of xmake advanced features
Cross platform implementation of multi process waiting
Use printf to customize print objects
Tbox v1.5.1 update content
Decompress files through streams
Macro script record used by xmake plug-in
Use of sorting and searching algorithms
Compile the project using xmake
Custom options for xmake advanced features
Implement the json parsing tool jcat
Make terminal demonstration video on mac and generate gif
Processing large-scale data filtering with bloom filter algorithm
Switching and waiting for the use of tbox coordination
Thread race detection using lock analyzer
Use of high-precision timer
Running and debugging programs with xmake
Hello xmake for plug-in development
How to enable pdb support for windows compilation
Introduction to new features of xmake v2.1.5
Batch inspection library function of xmake advanced features
Xmake adds support for Qt compilation environment
Parsing and generation of json, xml, plist
Asio architecture
Compilation switch between static library and dynamic library
Using c # to implement cross platform exception capture mechanism
Color highlighting of xmake plug-in development
Use xmake to detect compiler feature support
Digit Extraction in Handwritten Digit Recognition System
Introduction to xmake project description
Using aiop to implement event waiting mode
Updated xmake v2.1.3 to fix security and stability issues
Thinning image of handwritten digit recognition system
Using lua to implement try catch exception capture
Slant correction of handwritten digit recognition system
Use of low precision timer
Using aicp to implement event callback mode
Memory detection
Xmake adds an intelligent code scanning compilation mode
Toggle tbox global memory allocator
Generation of project files used by xmake plug-ins
Use of libraries such as xmake plug-in development
The xmake v2.1.9 version is released, and the configuration of visual graphics menu is added
Context context switching of coroutine analysis
Dependency package addition and automatic detection mechanism
Processing of precompiled header files by different compilers
Tbox added stackless scheduling support
Read/write of stream
Use of database
Character set encoding conversion through stream
Tbox added 64K microkernel compilation mode
Rasterization algorithm of complex polygon
XML parsing
Show me how to compile tbox
Consolidated static library of xmake advanced features
Use of xmake built-in and external variables
Batch tracking method call records of objc
Image Segmentation of Handwritten Digit Recognition System
Overall architecture of stream
Use of built-in two-way list and external two-way list_entry
Talk about atomic operations
Use of thread pool
Batch packaging used by xmake plug-ins
How to cross compile through xmake
Use of hash containers
Xmake adds ios app2ipa plug-in
Getting started with xmake, building projects can be so simple

Popular comments of the whole site

z
zhy 2024-05-16 13:16
At the end of Shannon is Nong
Single structure
Single structure 2024-05-11 10:09
Selected as Open Source China's disgrace pillar
-SORA-
-SORA- 2024-06-01 09:30
American characters
Apizza
Apizza 2024-06-01 17:52
You can switch from lodash to radash in 2024!!!
M
MrChen89 2024-04-29 09:18
There are a group of people like this. I don't know what they have experienced. When it comes to HW, I can't say anything good, even if it's neutral
Voice of God
Voice of God 2024-06-01 20:47
By default, injection ($) and splicing are turned off. If you want to use it, you need to sign the birth and death form and press the fingerprint.
Code craftsman
Code craftsman 2024-06-01 11:22
I also said "user controllable parameters"
Shuimu Yi'an
Shuimu Yi'an 2024-05-20 09:58
The news should be read continuously. I'm waiting for the third news besides rustdesk and teamviewer. Localized remote desktop software is far ahead.
Starry Night Destiny
Starry Night Destiny 2024-06-01 21:49
It feels like Mybatis. It's OK to provide users with optional security solutions. It's useless for users to complain about this problem
oldpig
oldpig 2024-04-28 09:59
”Huawei contributed all the source code "?, the title is completely inconsistent with the content.
Li Yinghui
Li Yinghui 2024-05-09 16:40
Buddhism has a good word, evil opinion. In dealing with the world, it is meaningless to draw conclusions from preset positions; It is also important to receive good logic training.
osc_566335
osc_566335 2024-04-28 14:44
This is also called floor washing? Does it mean that Tesla will not wash the floor if it releases all the source code? Some people HWptds? That is to say, the language is ambiguous, which will also rise to the washing ground? Are some people too focused? Think the people he pays attention to must be staring at?
zzeric
zzeric 2024-04-28 20:01
Although France is the parent community, the core developers of OCCT on github are all Russians. Without Russians, the French parent community cannot continue to operate. So Huawei took over, moved to China, changed its name and resumed open source and community operations. What's the problem?
monkey_cici
monkey_cici 2024-05-09 00:25
My I9 CPU, 64GB memory module and 3080Ti computer are inferior to the top configuration of 19999 on a tablet
Yeah, for
Yeah, for 2024-05-17 13:42
That's too right. Old Zhou can't control Google, but he can control 360. Do not do to others what you do not want. All 360 products should be opened first.
Love to eat raw pears
Love to eat raw pears 2024-06-01 11:48
Why is this so-called "vulnerability" not a vulnerability? Spring, MyBatis and other frameworks can accept all kinds of CVE criticism, while MyBatisPlus has to dump the pot and accuse programmers of being too low-level# There is a difference. The premise is that you write XML, MyBatisPlus encapsulates Wrapper and claims to simplify code. Since it encapsulates and hides $#, it is not appropriate to do some necessary security checks? Instead of doubting the authority of CVE, you should know that SQL ->MyBatis ->MyBatisPlus ->various back-end scaffolds have multiple layers, each layer is simplifying, and each layer is throwing away the upper layer of the boiler. Who dares to use them. The programmers who use MyBatisPlus can't be expected to be at a high level. Every programmer wants to save effort. The front-end parameters can be directly obtained by HttpServletRequest from the back-end. Wrapper splicing can be found everywhere. If something goes wrong, is it the front-end or the framework? According to Qingmiao, can the injection vulnerability of the previous log4j and the deletion vulnerability of the Druid be used to eliminate low-level programmers?
People are addicted to food
People are addicted to food 2024-06-01 13:53
History history combination
osc_92224065
osc_92224065 2024-04-29 10:57
Long term oppressed outsourcing of state-owned enterprises
haol666
haol666 2024-05-31 18:56
This story is powerful, I take it seriously, until I see the end.
CodeDoger
CodeDoger 2024-05-02 20:48
35 It's too old to go to work and too early to retire at 60
Yoona520
Yoona520 2024-05-17 16:34
Zhou Hongyi is now living more and more like a clown. If he stays behind the scenes, he has to become an online celebrity. Can you learn from Lei Jun?
Happy LeapFrog
Happy LeapFrog 2024-05-18 09:18
But the question is: "What's the use of this for ordinary Android users?" Now the answer seems to be: "Almost nothing.".
Love to eat raw pears
Love to eat raw pears 2024-06-01 19:18
Don't expect programmers to have a deep understanding of the document. I still think that since the tool hides the details of $#, some necessary security checks are necessary. Many people do not use MybatisPlus directly, but use various so-called rapid development platforms. The MyBatisPlus rapid development platform Snowy, Guns, etc., has an impression that many versions have the problem of using Wrapper directly to splice the Request parameter. I remember that JeecgBoot was opened a lot of CVEs last year or the year before last because of the Wrapper splicing problem. Do you know the author of ibeetl? Many CVE blaming holes have been opened before. The problem is similar. The lack of basic knowledge "script editing permission" is actively handed over to the front end. What a low-level error or even low-energy behavior. However, I accepted it with an open mind and added a white list check.
Xiao Xu Middle aged
Xiao Xu Middle aged 2024-05-31 19:13
Very good
g
gamedot 2024-05-17 11:14
Old Zhou is deeply concerned about Huawei's great cause of open source. He is not a Huawei person, but has Huawei's soul.
Brother Xiao Yang
Brother Xiao Yang 2024-06-01 20:39
Isn't Ali developed? What are you afraid of? There's no need for every family to set up a set
The seven in one little King Kong
The seven in one little King Kong 2024-06-02 15:54
Those people only use resources, others are not developed by NPM...
-SORA-
-SORA- 2024-04-30 17:07
When this happened in a foreign country, the comment area suddenly became very objective and rational**
Small and beautiful software development
Small and beautiful software development 2024-06-01 05:06
Cheat one's job
kakai
kakai 2024-05-10 10:21
The world only knows that Android was created by Google. Several people know that Android is only a product acquired by Google. Similarly, what is the problem with Huawei's contribution to the collection of OGG open source work and integration into its own proprietary product line?
All the way north GP
All the way north GP 2024-04-25 14:55
America, the future of mankind
Dogo_Little People
Dogo_Little People 2024-06-02 12:24
Not everyone will go to see the document in full detail. As a general basic framework, the method naming should consider not only readability but also understandability. At least, it should also establish a cognition for developers. LambdaQueryWrapper is recommended. The official only briefly said that QueryWrapper may lead to SQL injection risks, There are no detailed examples (many people don't understand what SQL injection is). Now I met a jerk and submitted it to CVE to see who is the most powerful
xiaoqibabby
xiaoqibabby 2024-05-15 17:36
The bank is strongly required to be responsible for
Hakuna
Hakuna 2024-05-31 18:28
It is compatible with Oracle, but does not know "just" or "just". Those who can be compatible with Oracle and do well are real men and real warriors. You should know that compatibility means that even bugs must be compatible, and you have no other code that can not be copied. It's all based on real skills and understanding of oracle.
Xiao Xu Middle aged
Xiao Xu Middle aged 2024-06-01 06:49
thank
infoworld
infoworld 2024-05-11 15:12
Universities should use open source free software instead of commercial ones. In this way, hands and feet will not be tied technically.
Rocket ship
Rocket ship 2024-05-31 19:22
It's a ghost anyway.
G
GDWhisperer 2024-05-15 17:23
I transferred tens of thousands of yuan to my own account, which was under risk control. How did I do this? The bank should be responsible for this**
Ning Jinnong
Ning Jinnong 2024-06-01 21:04
Correct it. The example of loading the library is wrong. It should be # library=@ loading the dynamic library, "./yards to the treasurer. dll"
Ma Nong Little Fatty Brother
Ma Nong Little Fatty Brother 2024-05-16 14:40
I give you six seconds. I give you six moves with the same effect in the martial arts contest, which shows the invincibility and confidence of the master
One code Yma
One code Yma 2024-05-09 09:58
Recently, I often go to interviews. People who hate Ali background most regard me as a fool, even though I am a fool
Shen Lang Panda
Shen Lang Panda 2024-06-01 08:16
You can directly ask questions in the project work order. The comment area is not suitable for answering such questions
osc_25732934
osc_25732934 2024-06-01 19:30
It seems that the current version of the Foreign Function&Memory API is not as fast as that of jni, or even worse. In addition, before vallhala comes out, all interactions between java and c have to get an additional memory. Even if it comes out, it may not be possible to directly throw a copy of binary data into memory as a structure. When the two apis are completely stable, the day lily is cold
Bright
Bright 2024-05-19 23:25
What a fool! I killed myself. How can people deal with me later.
Chief taxi captain
Chief taxi captain 2024-05-17 11:17
I suggest that 360 open source all its products, and then become the leading enterprise in the domestic open source industry through open source, leading everyone to compete with foreign enterprises
kangaroo
kangaroo 2024-06-01 22:23
The next version focuses on improving existing functions * improving internal power and qi * and continues to move towards the goal of Grand Master.
Monkeys think of apes
Monkeys think of apes 2024-05-31 18:31
You can cheat your brother. Just don't cheat yourself
sweet potato chips
sweet potato chips 2024-05-31 22:08
Glue code consumes few resources
Bright Stars 2
Bright Stars 2 2024-05-31 23:28
Remove Unsafe? You don't want netty anymore?
jalena
jalena 2024-05-31 23:57
I can imagine that I will also receive the CVE repair request next week..... I don't use the key!!!!!!!!!
One code Yma
One code Yma 2024-05-06 09:14
My technical article was moved by CSDN. Why didn't anyone step on the sewing machine? This kind of report is a joke to me. The monsters with background are fine, and the monsters without background fight to death
F
Francesca 2024-05-19 18:00
Wine runs the Android emulator of Windows. Chrome OS is installed in the Android emulator. Linux environment is installed in chrome OS. Linux environment is installed in the Linux environment. Wine is installed in the Android emulator
looly
looly 2024-06-02 14:32
@Qingmiao Hutool has also been mentioned some loopholes that I think are relatively "low-level", or I think are not loopholes. At first, I was also very angry, but after thinking it through, I found that CVE's idea was that once you did not actively remind users that there was a pit, the user fell into the pit is your fault, that is, your vulnerability. For example, as a traffic policeman, you should remind everyone who crosses the road to pay attention to safety, and ask him to answer whether he knows. Once you don't remind someone and are hit by a car, you can't get away from it. Similarly, when using frameworks and tools, you should provide at least one parameter to remind users that there may be SQL injection vulnerabilities. Note that it is not in the comments, but in the method parameters, which is the user's responsibility. Therefore, it is not comprehensive to provide solutions in comments or documents.
Xiao Xu Middle aged
Xiao Xu Middle aged 2024-06-01 07:03
good
Yokesily
Yokesily 2024-06-02 15:11
So designed
hanf
hanf 2024-05-31 17:45
If only the design and architecture are similar, what's the point? Good things must be learned, and you can't prove that the design is not the same. As for the source code, you also said that neither Oracle nor Damon is open source, and you can't prove it. There are many people who question Dream, but so far, no one has come up with strong evidence. You should at least provide evidence to copy
young crops
young crops 2024-06-01 16:21
There is no tipping point. There are also many official documents stating that SQL fragments involving direct string splicing need to be controlled by the user, and specific solutions are also provided. If you say that the value part is injected, then we are also 100% free of any dispute. This obvious SQL fragment is unrealistic for ORM to explain without your control, Since SQL allows splicing fragments, there must be some scenarios that cannot be forced into non SQL strings. It is also very simple. Have you ever thought about why not force them???
sunday12345
sunday12345 2024-05-15 18:31
What does the bank do? It's blamed on the remote desktop. Persimmons really pick up soft pinches~?
Monkeys think of apes
Monkeys think of apes 2024-05-31 18:31
You can cheat your brother. Just don't cheat yourself
Qin Liming
Qin Liming 2024-05-11 09:12
be devoid of any sense of shame

Hot News

one
Microsoft makes major updates to open source font Cascadia Code
two
Why JavaScript, Python and Java are always the first choice of developers
three
The new shares of Damon Data were listed, and online subscription was launched on Friday
four
Instant messaging software ICQ will be closed on June 26, 2024
five
Huawei announces that Olympus will become a hot issue in 2024 - 2 million yuan to solve AI and data storage problems
six
Tencent App Store has reached cooperation with Microsoft Store, and Windows can directly run mobile applications
seven
🏆 Tencent APIJSON 7 released, Huawei Cloud official number recommended • registered enterprise+1
eight
Google's search API document was accidentally released to GitHub: more than 2500 pages, revealing the inside story of search ranking
nine
Hackers use the mine sweeping game Python clone to hide malicious scripts and attack European and American financial institutions
ten
SQLite 3.46.0 release

Excellent column

Expert Q&A
Previous period

How do programmers get started with AI application development?

Talk about Unity and Native Bridging

How to Use Excelize to Process Excel Office Documents Efficiently

A daily blog
more

Source Code Analysis of Bookie Storage Architecture | Get Things Technology

KubeAI Large Model Reasoning Acceleration Practice | Get Things Technology

Maximizing the Effective Throughput of LLM Serving

News delivery
Immediate delivery

Welcome to deliver software and IT industry

Related news.

Recommended attention

Change a batch
No small farmers
No small farmers
Article 27
Access 5.9W
Owen_Blog
Owen_Blog
Article 12
Access 1.7W
qiangdada
qiangdada
Article 40
Access 10.2W
niucloud_admin
niucloud_admin
Article 7
Visit 676
Rabbit and rabbit looking for pictures
Rabbit and rabbit looking for pictures
Open source software author

Hot software

mod_security -Apache Security Module
Plotr -Prototype Chart Plug in
GreenSQL -Database firewall
OFBiz -Enterprise Process Automation
BackupPC -Enterprise level system backup tool
JTheque -Java Modular Application Development Framework
Endless Scroll -JQuery Scroller
Sync4J -Phone Synchronization Kit
jQuery Media Plugin
DAO Fusion -Lightweight DAO framework
Gemini Web -Modular Java application server
jQuery Mobile -HTML5 development framework
FireCookie -Cookie enhancements for Firebug
OpenJDK -Java development environment
JSFlot -JSF chart drawing library
OpenSSL -Encryption library
FreeArc -Open source compression software
Hibari -Open source NoSQL database engine
ThickBox -JQuery Dialog Plug in
cookies -Cookie plug-in of jQuery
thirty-eight comment
three Collection
share
Back to top
Top