쉐도잉 연습: BIGGEST npm Hack of 2026 Just Happened?! - YouTube로 영어 말하기 배우기
어려움
쉐도잉 컨트롤
0% 완료 (0/92 문장)
Axios, which is one of the most popular packages out there to make HTTP requests in JavaScript, has been compromised and it's bad.
⏸ 일시 정지
재생 속도:
반복 횟수:
대기 모드:
자막 동기:0ms
모든 문장
92 문장
1
Axios, which is one of the most popular packages out there to make HTTP requests in JavaScript, has been compromised and it's bad.
0:00.04 – 0:07.14 (7.1s)
2
It's really bad.
0:07.14 – 0:07.92 (0.8s)
3
Axios is a package which has 100 million weekly downloads.
0:07.92 – 0:12.34 (4.4s)
4
That's a mind-boggling number and as you can see, it's only increasing as time is going by, right?
0:12.34 – 0:17.28 (4.9s)
5
For those of you who don't know what Axios is, it's basically a promised-based HTTP client for browser and Node.js.
0:17.28 – 0:23.40 (6.1s)
6
Fancy way of saying that it allows you to make HTTP requests.
0:23.40 – 0:26.70 (3.3s)
7
Now back in the day when there was no native fetch available inside node.js or inside browsers it was very cumbersome to write the full syntax of making an HTTP request and that is where we used to use these tools like Axios like jQuery jQuery also has a decent way of making these HTTP requests right if I remember right nowadays it's much more common to just use fetch but a lot of code bases are stuck in the past right a lot of code bases have this as a dependency and this has been hacked On 31st of March, which is basically today, two malicious versions of Axios, the enormously popular JavaScript HTTP client with over 300 million weekly downloads, okay, it shows 100 million here, so I'm not sure which one is the right figure, but anyway, were briefly published to NPM via a compromised maintainer account.
0:26.96 – 1:13.56 (46.6s)
8
Packages contained a hidden dependency that deployed a cross-platform remote access Trojan to any machine that ran NPM install, or equivalent in other package managers like Bunn.
1:13.56 – 1:22.70 (9.1s)
9
The malicious versions were 1.14.1, and 0.30.4 were removed from NPM by this time, but they were still live for a couple of hours.
1:22.70 – 1:31.90 (9.2s)
10
And for a package that is getting 100 million weekly downloads, that's going to be a big enough number, right?
1:32.14 – 1:37.96 (5.8s)
11
Let's run some math.
1:37.96 – 1:39.10 (1.1s)
12
So if a package is getting 100 million downloads every week, and we have about 168 hours in one week, so we are doing roughly about 0.59 million or about 600k downloads averaged out every hour, right?
1:39.10 – 1:53.78 (14.7s)
13
And if it is up for a couple of hours, that's about 1.2 million malicious downloads, right?
1:53.78 – 1:58.62 (4.8s)
14
And of course, like this is all CI numbers and here and there, but even if we assume like 10% unique computers, that compromises roughly around 120,000 unique computers across the world, right?
1:58.62 – 2:10.74 (12.1s)
15
And even if you consider just 10% of these computers to be like actual users, not like automated CI systems and a formal compute, even then you are at 12,000 Unique Systems Compromised, which is a massive number.
2:10.74 – 2:24.16 (13.4s)
16
In just a couple of hours, because the package is so much popular, we have at least like 10,000 to 12,000 people whose real computer is now compromised.
2:24.22 – 2:32.78 (8.6s)
17
This is not a case of type of squatted package or a rogue dependency slipping into a build.
2:33.20 – 2:37.58 (4.4s)
18
the attacker had direct publishing access to the official Axios package, likely by compromising a maintainer's account.
2:37.52 – 2:43.70 (6.2s)
19
So somebody named Jason, his account was hacked and somebody literally published a new version release.
2:43.70 – 2:49.26 (5.6s)
20
So it was very clean.
2:48.68 – 2:50.42 (1.7s)
21
There was no hacking as such involved.
2:50.42 – 2:52.98 (2.6s)
22
Like the package itself was not hacked, its transitive dependencies were not hacked.
2:52.98 – 2:57.02 (4.0s)
23
There was a legit package publishing that happened.
2:57.02 – 2:59.52 (2.5s)
24
The attacker did not modify any Axios source files directly.
2:59.52 – 3:02.84 (3.3s)
25
Instead, they added a pre-staged malicious dependency, which is this plain crypto.js package to package JSON in the new Axios release.
3:02.84 – 3:09.74 (6.9s)
26
The plain crypto.js package itself was purpose built for this attack.
3:09.74 – 3:13.68 (3.9s)
27
So all the hacking stuff and, you know, whatever malicious thing was there that was inside this package, not in the core Axios package.
3:13.68 – 3:19.96 (6.3s)
28
But because this is a dependency of the package, you will automatically pull that.
3:19.96 – 3:23.48 (3.5s)
29
The double obfuscated and self-erasing malicious payload, right?
3:23.48 – 3:27.10 (3.6s)
30
So what they're saying is that the setup.js post-installer dropper uses two layers of obfuscation to avoid static analysis.
3:27.10 – 3:34.60 (7.5s)
31
Reverse base64 encoded with padding character substitution and XOR cipher with key this order underscore 7077 at a constant value of 333.
3:34.94 – 3:43.80 (8.9s)
32
So it's just lightly obfuscated, right?
3:44.00 – 3:46.54 (2.5s)
33
So again, like a lot of these security tools and whatever, what they do is that, you know, they'll just look at a piece of code and they'll try to figure out if this is malicious or not, right?
3:46.36 – 3:54.98 (8.6s)
34
That is what static analysis in this context means that you are analyzing something without actually executing it.
3:54.46 – 4:00.76 (6.3s)
35
And to bypass that, the attacker just obfuscated the code a little bit.
4:00.66 – 4:04.80 (4.1s)
36
Once de-obfuscated, the script detects the host operating system and reaches out to the C2 server at sfrclack.com to download a second stage payload appropriate for the platform.
4:05.08 – 4:14.66 (9.6s)
37
After execution, the malware erases its own tracks, it deletes setup, it removes package.json that contained the post-install hook and replaces it with a clean package.md renamed to package.json.
4:14.80 – 4:24.38 (9.6s)
38
If you inspect this package, after the fact, you would find no obvious signs of post-install script ever being there.
4:24.44 – 4:29.84 (5.4s)
39
So once it does all of this, this is what happens, at least on macOS, it downloads an Apple script, generates some unique ID, victim ID, fingerprints the system, beacons to the C2 every 60 seconds.
4:29.82 – 4:40.50 (10.7s)
40
And then, you know, basically it's a remote code execution on your computer, right?
4:40.80 – 4:44.78 (4.0s)
41
You can run script, you can run directories, you can kill the process as well, but you have got like a RCE vulnerability on the system.
4:44.30 – 4:51.64 (7.3s)
42
Similarly on Windows, on Linux, a Python rat is downloaded and launched as an orphan background process and basically you're able to compromise the whole system, the system on which it's working.
4:51.84 – 5:01.40 (9.6s)
43
See now this is a big big big issue right and the reason this is a big issue is because no matter what you look at, for example if you look at CI systems or if you look at personal computers, both are bad.
5:01.40 – 5:12.46 (11.1s)
44
In case of CI if you have you know a Trojan or something installed, what happens in a lot of use cases is that companies, especially the ones that are using their own CI environments, a lot of times they reuse the environments, right?
5:12.46 – 5:25.92 (13.5s)
45
Because technically speaking, CI system is supposed to be a secure execution environment because you are not executing any arbitrary code which you have not written, right?
5:25.92 – 5:34.70 (8.8s)
46
At least that's the hope.
5:34.70 – 5:35.96 (1.3s)
47
But if you are a bad developer, if you are somebody who does not pin their dependencies or you do not use lock files the way they are meant to be used, right?
5:35.96 – 5:44.88 (8.9s)
48
If you are very casual on just removing the lock file, running an empty npm install or bun install or pnpm install again, you are a bad developer.
5:44.88 – 5:52.20 (7.3s)
49
And that is why that is the reason why lock files existed.
5:52.20 – 5:55.16 (3.0s)
50
These sort of attacks have minimum impact is one of the strong reasons why lock files existed.
5:55.16 – 6:00.06 (4.9s)
51
And if you do not honor lock files regularly, this is something that would take you down, right?
6:00.06 – 6:04.40 (4.3s)
52
So CI systems, if they're reusing the environment, it's possible that the Trojan or the malware, whatever it is, it's there.
6:04.40 – 6:10.54 (6.1s)
53
And in the next build, even if your current build is not as sensitive, if the next build happens, and if you're not doing the cleanup properly, possible that that Trojan can take out your secrets or whatever is there, which you have given to your CI, which most of the companies actually do, right?
6:10.54 – 6:25.18 (14.6s)
54
When you're running a CI on production, that's like a very, very secure deployment or something that's happening.
6:25.18 – 6:30.22 (5.0s)
55
A lot of times your environment variables, you know, a bunch of production credentials are also part of CI, which is gonna be extremely risky if this happens.
6:30.22 – 6:38.14 (7.9s)
56
Similarly, on personal computers, I don't think I have to explain this one.
6:38.14 – 6:41.32 (3.2s)
57
Obviously, your personal data, you know, any sort of photos that you have, any sort of credentials that you have stored, could be anything.
6:41.32 – 6:47.94 (6.6s)
58
It's just super bad, right?
6:47.94 – 6:49.14 (1.2s)
59
Somebody has remote code execution on your system, they can run arbitrary code, it's gonna be bad.
6:49.14 – 6:53.38 (4.2s)
60
So the way, the only way that you can not be part of these hacks is, first of all, just do not randomly update your packages, right?
6:53.38 – 7:01.94 (8.6s)
61
This is like a big one.
7:01.94 – 7:02.90 (1.0s)
62
I don't know, like for some reason a lot of people just like to be at the latest thing you don't need that until and unless there is not a security issue or there is not some feature that you don't want feature that you want or a bug that you don't want there is no real reason to update the code right it's fine you will get some performance benefits and all of that but you can wait you don't have to stay on the bleeding edge right at least wait for seven to ten days for the community to catch up because again like you know this attack on axios this was caught within like couple of hours three hours maximum, right?
7:02.90 – 7:33.18 (30.3s)
63
So you can give like seven days, 10 days of time to the community to figure out whatever is there.
7:33.18 – 7:38.48 (5.3s)
64
This obviously does not guarantee there could be like a smart backdoor or a vector that is there for seven days, eight days, 10 days more, but it gives you at least the ability to, you know, be protected from these things.
7:38.48 – 7:49.04 (10.6s)
65
Second of all is that lock files.
7:49.04 – 7:51.74 (2.7s)
66
Please, please learn about them.
7:51.74 – 7:53.32 (1.6s)
67
This is so important.
7:53.32 – 7:54.44 (1.1s)
68
This is something, you know, it's super controversial for some reason.
7:54.44 – 7:57.54 (3.1s)
69
So this has made me remember this tweet that I did last year, right?
7:57.54 – 8:00.70 (3.2s)
70
On August 5th.
8:00.70 – 8:01.60 (0.9s)
71
I have done 30, 40 JavaScript interview calls in the past few weeks and I start with basic questions.
8:01.60 – 8:06.40 (4.8s)
72
And this is when you use a package manager like npm, it creates a file package log.json.
8:06.40 – 8:11.56 (5.2s)
73
If I open my package.json and remove all the caret symbols, you know, whatever, like the question was, but it was around package.json and log files.
8:11.56 – 8:17.48 (5.9s)
74
And you know, the kind of responses I got.
8:17.48 – 8:19.40 (1.9s)
75
Asking questions about whatever he has written is a terrible way to evaluate a candidate.
8:19.40 – 8:23.52 (4.1s)
76
Curious to know what you were trying to evaluate with this question.
8:23.52 – 8:25.96 (2.4s)
77
I have almost two decades of JS experience and would totally not want to work for you if this is the question.
8:26.02 – 8:30.94 (4.9s)
78
These are the people in your company that will get your product hacked because they will have a very nice solution that if npm install is broken, let's just remove lock file, install it, call it a day.
8:30.94 – 8:40.36 (9.4s)
79
They don't know about what version locking is.
8:40.36 – 8:42.76 (2.4s)
80
They would have no knowledge about you know what the carrot symbol is what tilde symbol is over here or you know what exact version means and these are the people that you work with every single day right that is why it's super important for you to be upskilled be security aware even if you are a front-end or a back-end developer not just like a full stack or devops or you know security guy you still should know about these security things that i talk about so yeah it's pretty bad it's all safe right now you know and again like axios there are some better packages from compared to axios the one that I personally use is this Xior, which is like a built-in replacement for Axios.
8:42.76 – 9:17.68 (34.9s)
81
It does not have a lot of impressive, like it does not have 100 million downloads, but this is good enough, right?
9:17.68 – 9:22.60 (4.9s)
82
It has just one dependency.
9:22.48 – 9:23.82 (1.3s)
83
It's small enough.
9:23.82 – 9:24.86 (1.0s)
84
It's 10 times smaller than Axios and it does most of the things that you want.
9:24.86 – 9:27.82 (3.0s)
85
So if you're using Axios, you can basically replace Axios with Xior and all of your code would still work fine.
9:27.82 – 9:34.32 (6.5s)
86
Unless and until and unless you're doing some magic work with, you know, Axios.
9:34.32 – 9:37.72 (3.4s)
87
Axios, on the other hand, has 25 dependencies, you know, total, which again is not really cool because again like if something bad happens to one of those transitive dependencies then you are also screwed and the same thing applies in Axios case also right so even if you are not using Axios it's possible that there is some transitive dependency that is using Axios and that would screw you even if you are not the one doing that right and that is where lock files really really become important because if you are locking the version of not only just your packages but actually all the way transitively down to every single package it's impossible for you to get hacked in this situation until and unless obviously you're not updating it on your own.
9:37.72 – 10:14.28 (36.6s)
88
So yeah, that's pretty much it for this video.
10:14.30 – 10:15.82 (1.5s)
89
Hopefully you liked it.
10:15.82 – 10:16.70 (0.9s)
90
If you did, make sure you leave a like and subscribe to the channel and I'm going to see you in the next video very soon.
10:16.70 – 10:22.00 (5.3s)
91
If you're still watching, make sure you leave a comment.
10:22.08 – 10:24.18 (2.1s)
92
I watched till the end below to tell me that you were still here and let me know what do you think about the video.
10:24.18 – 10:29.76 (5.6s)
수업 개요
이번 수업에서는 자바스크립트 HTTP 클라이언트인 Axios에 관한 내용을 통해 기술적인 영어 표현을 배우고, 영어 회화 연습을 진행합니다. 이 수업은 특히 해커 공격에 관련된 소식을 다루며, 최신 IT 용어와 개념을 익히는 데 중점을 두고 있습니다. 또한, 영어 발음 교정과 IELTS 스피킹 준비에 유용한 콘텐츠를 제공합니다. 이를 통해 학습자는 실제 상황에서 사용할 수 있는 실용적인 영어 표현을 연습할 수 있습니다.
주요 어휘 및 구문
- HTTP 요청 (HTTP requests) - 웹에서 데이터를 요청하기 위한 방법
- CSV 해킹 (hacking) - 컴퓨터 시스템에 무단 접근하는 행위
- 악성 코드 (malware) - 시스템에 피해를 주기 위해 설계된 소프트웨어
- 원격 접근 (remote access) - 다른 컴퓨터에 원거리에서 접근하는 방법
- 종속성 (dependency) - 다른 소프트웨어나 라이브러리에 의존하는 관계
- 개발자 (developer) - 소프트웨어를 설계하고 만드는 사람
- 보안 (security) - 정보와 시스템을 보호하기 위한 조치
- 환경 (environment) - 소프트웨어가 실행되는 시스템 설정
연습 팁
이번 영상은 기술적이고 전문적인 내용을 다루고 있기 때문에, 제시된 내용을 영어 쉐도잉하는 것이 중요합니다. 영상의 속도는 빠르지만, 각 문장을 반복해서 따라 읽는 연습을 통해 발음과 억양을 개선할 수 있습니다. 처음에는 천천히 따라 하고, 익숙해지면 점점 빠른 속도로 말해 보세요. 이렇게 함으로써 IELTS 스피킹 시험에서 요구되는 유창성을 기를 수 있습니다. 유튜브 영어 공부를 통해 다양한 주제를 다루는 영상을 찾아보고 반복하는 것도 좋은 방법입니다. 영어 회화 연습을 위해 친구와 함께 이 영상을 시청하고 내용을 토론하는 것도 추천합니다.
쉐도잉이란? 영어 실력을 빠르게 키우는 과학적 방법
쉐도잉(Shadowing)은 원래 전문 통역사 훈련을 위해 개발된 언어 학습 기법으로, 다언어 학자인 Dr. Alexander Arguelles에 의해 대중화된 방법입니다. 핵심 원리는 간단하지만 매우 강력합니다: 원어민의 영어를 들으면서 1~2초의 짧은 지연으로 즉시 소리 내어 따라 말하는 것——마치 '그림자(shadow)'처럼 화자를 따라가는 것입니다. 문법 공부나 수동적인 청취와 달리, 쉐도잉은 뇌와 입 근육이 동시에 실시간으로 영어를 처리하고 재현하도록 훈련합니다. 연구에 따르면 이 방법은 발음 정확도, 억양, 리듬, 연음, 청취력, 말하기 유창성을 크게 향상시킵니다. IELTS 스피킹 준비와 자연스러운 영어 소통을 원하는 분들에게 특히 효과적입니다.
ShadowingEnglish에서 효과적으로 학습하는 방법
- 영상 선택: 자연스럽고 명확한 영어가 사용된 YouTube 영상을 선택하세요. TED Talks, BBC 뉴스, 영화 장면, 팟캐스트, IELTS 모범 답변 영상이 좋습니다. URL을 복사해서 검색창에 붙여넣으세요. 짧은 영상(5분 이내)과 실제로 관심 있는 주제부터 시작하는 것이 동기 유지에 효과적입니다.
- 먼저 듣고 내용 이해하기: 처음에는 1배속으로 그냥 듣기만 하세요. 아직 따라 말할 필요는 없습니다. 문장의 의미를 파악하고, 화자가 어떻게 단어를 강조하고, 소리를 연결하고, 쉬어 가는지 주목하세요. 내용을 이해한 후 쉐도잉 연습을 하면 효과가 훨씬 좋아집니다.
- 쉐도잉 모드 설정:
- Wait Mode (대기 모드):
+3s또는+5s를 선택하면 한 문장이 재생된 후 자동으로 잠시 멈춰서 따라 말할 시간을 줍니다. 직접 컨트롤하고 싶다면Manual을 선택해서 Next를 눌러 진행하세요. - Sub Sync (자막 동기화): YouTube 자막이 오디오와 맞지 않을 수 있습니다.
±100ms로 조정해서 정확한 타이밍에 따라갈 수 있도록 맞추세요.
- Wait Mode (대기 모드):
- 소리 내어 쉐도잉하기 (핵심 연습): 이것이 연습의 핵심입니다. 문장이 재생되는 순간——또는 일시정지 중에——크고 자신감 있게 소리 내어 따라 하세요. 단순히 단어를 읽는 것이 아니라, 화자의 리듬, 강세, 음의 높낮이, 연음 방식을 그대로 흉내 내는 것이 중요합니다. 목표는 화자의 '그림자'처럼 들리는 것입니다. Repeat 기능으로 같은 문장을 여러 번 반복해서 자연스럽게 입에 붙을 때까지 연습하세요.
- 난이도 높이며 꾸준히 연습: 한 구절이 편해지면 더 도전적인 수준으로 올리세요. 속도를 <code>1.25x</code> 또는 <code>1.5x</code>로 높여 빠른 언어 반사 신경을 훈련하세요. Wait Mode를 <code>Off</code>로 설정해서 연속 쉐도잉을 하는 것이 가장 고급스럽고 효과적인 모드입니다. 매일 15~30분씩 꾸준히 연습하면 몇 주 안에 눈에 띄는 변화를 느낄 수 있습니다.
☕ 커피 한 잔 사주기
ShadowingEnglish는 여러분의 지원 덕분에 100% 무료로 운영됩니다. 서버 및 AI 유지 비용이 많이 듭니다. 여러분의 커피 한 잔이 큰 힘이 됩니다! ��