Building an NPM Worm (2016)
13 days ago
- #javascript
- #npm
- #security
- npm scripts can be used maliciously, including self-replicating worms.
- A proof-of-concept npm worm 'pizza-party' demonstrates how it could infect and republish modules.
- Loose semver habits (~ and ^) in package.json facilitate the spread of such worms.
- Protection measures include being logged into npm only when necessary and using npm shrinkwrap.
- Using others' code carries inherent risks, including executing malicious code unknowingly.
- The npm ecosystem's openness is beneficial but requires trust among developers to prevent abuse.