Really astounding to see them publish this article today. I have a CVE that's about to go live regarding auditing tools like this one.
I contacted Snyk a week ago to point out that their audit tool (just like npm audit, and others) cannot fundamentally protect you from attacks like this when installed to the same environment as a malicious package. Almost feels like they are trying to get ahead of it.
I was withholding the CVE while other tools are wrapping up their mitigation strategy. NPMJS and Snyk folks basically shrugged their shoulders. This is kind of forcing my hand to publish now.
I contacted Snyk a week ago to point out that their audit tool (just like npm audit, and others) cannot fundamentally protect you from attacks like this when installed to the same environment as a malicious package. Almost feels like they are trying to get ahead of it.
I was withholding the CVE while other tools are wrapping up their mitigation strategy. NPMJS and Snyk folks basically shrugged their shoulders. This is kind of forcing my hand to publish now.
Well, here is the blog post explaining:
https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
And here is the snyk proof of concept:
https://github.com/akoumjian/npm-audit-vuln
TLDR; Don't ever use the `npm install` version of Snyk. Use the binaries or the dockerized version.