npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Malware scanning backed into the platform?

In light of recent news: https://twitter.com/kennwhite/status/1067133581435305984?s=09

I propose that whenever a new package is added / updated an automatic malware scan could be triggered on the repo. This could be one way of mitigating attacks on potentially millions of other repos.


In general this would not have prevented it as the file only contained encrypted strings.
Now the AV vendors are slowly catching up.
They have great research and test labs and we should not reinvent AV.
But probably cooperate with a great one (or more). Or partner with Google / VT.

See https://github.com/dominictarr/event-stream/issues/116#issuecomment-442180509