
Defeating the NPM Worm - svieira
https://davidbruant.github.io/writings/2016/04/08/defeating-the-npm-worm.html
======
feduzi
You also install Node.js scripts, that may just execute anything upon
"require". "npm install --ignore-scripts" won't save you. But bash scripts...
oh, yeah... lethal.

There are problems with NPM, for sure. Like dependency level, absence of
possibility to review new releases, being rather closed than open
([https://medium.com/@azerbike/i-ve-just-liberated-my-
modules-...](https://medium.com/@azerbike/i-ve-just-liberated-my-
modules-9045c06be67c#.jm8l8jfyi)).

Maybe going with open solutions for package management will solve most of this
problems. Like using git protocol to host ones libraries on github (or gitlab
or bitbucket or anything where you can fetch dependencies and get to review
the code). Of course, this is not that simple as it sounds.

------
csense
This is why I every time I install something that uses NPM, I create a
dedicated user account for it.

Although even if NPM scripts only have access to files they need to access,
the damage is bad enough (e.g. if some malicious dependency of a dependency of
a dependency checks if it can find a DOM and if so siphon off a copy of every
password field to the attacker, every user of your website has just been
compromised even if your server's /usr/bin directory is safe).

~~~
feduzi
A dedicated user account... wow ([https://www.exploit-
db.com/local/](https://www.exploit-db.com/local/)).

In this amount of software people build and considering that really 90% of it
is total crap, we'll never be secure unless we really be picky with what we
use. But that does not work with our lazy nature and all that things about
bicycles you hear (like not to invent one; why would I do something by myself
if I can just use someone's else solution... duhhh).

We need better quality in our software, so we can trust it.

------
SoonDead
I'm interested why this is not the default behaviour. Would it break anything
legit if npm would just simply switch to this behaviour? Are there any strong
arguments against this?

I'm interested in use-cases where access to anything outside the current
folder (the folder npm is called in) is justified and depended on.

~~~
detaro
How are packages with native dependencies build? Presumably that requires
access to the compiler and libraries? (I don't know anything about npm works,
so read those as real and not as rhetorical questions ;))

------
ilaksh
Lol. Is there a single example of anyone ever making such an 'npm worm'?
Regardless of what npm install can or can't do, if it's a malicious module
then the actual module code will be a problem too.

If you are that paranoid or its that critical then you are going to have to
review every single line of code, which almost no one ever does for libraries.
And even so a library could always use the network to sneak more code onto the
computer that you didn't authorize.

npm doesn't give any more permissions than any other program run by the user.
It's a powerful tool. That isn't a reason for people to be scared of it in
ordinary circumstances.

------
SFJulie
guess no one is maintainer of pypy packages. The security model of python
module is also based on the the conviction that no one will dare be an
asshole.

/me thinks it is weak security

