This gives yet another example of why "ignore scripts"[0] should be the default setting for npm install.
Actually it's a pity that the npm Security Insights API[1] seems to have been abandoned since the company was bought by Microsoft. It seems like it could have highlighted the addition of a suspicious install script, although how useful it would be in practice would depend on the UX of the tooling that uses it.
Unfortunately with 1.7M+ NPM modules and the approach of using lots of small external libraries, I'd expect to see this kind of attack increasing in popularity.
The question is, for every one of these attacks that get spotted, how many are slipping by.
Curious to know if the authors had 2FA enabled and how they got compromised. And if they didn't themselves get compromised via compromised dependencies.
3 comments
[ 3.1 ms ] story [ 21.8 ms ] threadActually it's a pity that the npm Security Insights API[1] seems to have been abandoned since the company was bought by Microsoft. It seems like it could have highlighted the addition of a suspicious install script, although how useful it would be in practice would depend on the UX of the tooling that uses it.
[0] https://www.nerdycode.com/prevent-npm-executing-scripts-secu...
[1] https://blog.npmjs.org/post/189189888357/npm-security-insigh...
The question is, for every one of these attacks that get spotted, how many are slipping by.
Curious to know if the authors had 2FA enabled and how they got compromised. And if they didn't themselves get compromised via compromised dependencies.