Quantcast
Channel: JavaWorld Security
Viewing all articles
Browse latest Browse all 148

Node.js alert: Google engineer finds flaw in NPM scripts

$
0
0

Never assume a file downloaded from the Internet is safe. That warning also applies to NPM, the default package manager for Node.js. A vulnerability in package install scripts would let an attacker create a self-replicating worm that can spread through NPM packages.

“It is possible for a single malicious NPM package to spread itself across most of the NPM ecosystem very quickly,” Sam Saccone, a software engineer at Google, wrote in his NPM hydra worm disclosure.

Like many other package managers, NPM supports lifecycle scripts, which can execute arbitrary commands on the system with the permissions of the current user. Though lifecycle scripts can be useful for cleaning up files after an installation, compiling binary dependencies, and automatically generating a configuration file, they can also be dangerous since the script can execute commands that modify the system.

To read this article in full or to leave a comment, please click here


Viewing all articles
Browse latest Browse all 148

Trending Articles