Research for compromised packages after breach of Juli 12


(Nils Knappmeier) #1

After the security incident of Juli 12, I would like to know:

  • Have you scanned the packages in the registry for the malicous code found in the eslint-scope-package?
  • Have you found any other packages?
  • What measures have you planned for the future to prevent incidents like this?
  • Do you have any advise on how to prevent this, apart from 2FA?

At the moment, I am very reluctant to run npm install in my node projects. I have to do it, but I have a bad feeling about it. The point is:

  • I run npm install and npm downloads a lot of packages.
  • I do not know which packages are downloaded, unless I run npm install
  • postinstall-hooks are executed right away, so even if I have the time to check all packages, this is hardly possible between the execution of npm install and the execution of the postinstall hooks.
  • The postinstall-hooks have complete access to my resources (home-folder, shared-folders, network). I can imagine much more serious issues (trojans, crypto-viruses) that could happen.

(Adam Baldwin) #2

Thanks for the follow up on the eslint incident and the excellent questions. I’ve had these questions come up in some other conversations so I felt they deserved a bit of a larger audience so I posted an answer up on our blog. You can find the post here. https://blog.npmjs.org/post/176488970320/community-questions-following-the-eslint-security


(system) #3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.