The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Research for compromised packages after breach of Juli 12
After the security incident of Juli 12, I would like to know:
- Have you scanned the packages in the registry for the malicous code found in the
- Have you found any other packages?
- What measures have you planned for the future to prevent incidents like this?
- Do you have any advise on how to prevent this, apart from 2FA?
At the moment, I am very reluctant to run
npm install in my node projects. I have to do it, but I have a bad feeling about it. The point is:
- I run
npm installand npm downloads a lot of packages.
- I do not know which packages are downloaded, unless I run
postinstall-hooks are executed right away, so even if I have the time to check all packages, this is hardly possible between the execution of
npm installand the execution of the postinstall hooks.
postinstall-hooks have complete access to my resources (home-folder, shared-folders, network). I can imagine much more serious issues (trojans, crypto-viruses) that could happen.
Thanks for the follow up on the eslint incident and the excellent questions. I’ve had these questions come up in some other conversations so I felt they deserved a bit of a larger audience so I posted an answer up on our blog. You can find the post here. https://blog.npmjs.org/post/176488970320/community-questions-following-the-eslint-security