After the security incident of Juli 12, I would like to know:
- Have you scanned the packages in the registry for the malicous code found in the
- Have you found any other packages?
- What measures have you planned for the future to prevent incidents like this?
- Do you have any advise on how to prevent this, apart from 2FA?
At the moment, I am very reluctant to run
npm install in my node projects. I have to do it, but I have a bad feeling about it. The point is:
- I run
npm installand npm downloads a lot of packages.
- I do not know which packages are downloaded, unless I run
postinstall-hooks are executed right away, so even if I have the time to check all packages, this is hardly possible between the execution of
npm installand the execution of the postinstall hooks.
postinstall-hooks have complete access to my resources (home-folder, shared-folders, network). I can imagine much more serious issues (trojans, crypto-viruses) that could happen.