This post originated from an RSS feed registered with Java Buzz by News Manager. Original Post: Node.js alert: Google engineer finds flaw in NPM scripts Feed Title: JavaWorld Feed URL: http://www.javaworld.com/index.rss Feed Description: JavaWorld.com: Fueling Innovation Latest Java Buzz Posts Latest Java Buzz Posts by News Manager Latest Posts From JavaWorld

Never assume a file downloaded from the Internet is safe. That warning also applies to NPM, the default package manager for Node.js. A vulnerability in package install scripts would let an attacker create a self-replicating worm that can spread through NPM packages.

“It is possible for a single malicious NPM package to spread itself across most of the NPM ecosystem very quickly,” Sam Saccone, a software engineer at Google, wrote in his NPM hydra worm disclosure.

Like many other package managers, NPM supports lifecycle scripts, which can execute arbitrary commands on the system with the permissions of the current user. Though lifecycle scripts can be useful for cleaning up files after an installation, compiling binary dependencies, and automatically generating a configuration file, they can also be dangerous since the script can execute commands that modify the system.

To read this article in full or to leave a comment, please click here