Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects (socket.dev) 18 points by 882542F3884314B 1mo ago ↗ HN
[–] gnabgib 1mo ago ↗ All Composer packages (but the malicious part is in the node dependency)Effected*> Use effect as a noun to refer to a change resulting from something.
[–] tedchs 1mo ago ↗ How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
[–] nullsex 1mo ago ↗ Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
[–] kspetkov79 1mo ago ↗ Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.
5 comments
[ 3.3 ms ] story [ 22.8 ms ] threadEffected*
> Use effect as a noun to refer to a change resulting from something.