top | item 45263141

(no title)

paulirish | 5 months ago

This vulnerability was reported to NPM in 2016: https://blog.npmjs.org/post/141702881055/package-install-scr... https://www.kb.cert.org/vuls/id/319816 but the NPM response was WAI.

discuss

rectang|5 months ago

Acronym expansion for those-not-in-the-know (such as me before a web search): WAI might mean "working as intented", or possibly "why?"

201984|5 months ago

Thank you. It's frustrating when people uncommon acronyms without explaining them.

debazel|5 months ago

Even if we didn't have post install scripts wouldn't the malware just run as soon as you imported the module into your code during the build process, server startup, testing, etc?

I can't think of an instance where I ran npm install and didn't run some process shortly after that imported the packages.

theodorejb|5 months ago

Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.

amai|5 months ago

NPM belongs to Microsoft. What do you expect?

myroon5|5 months ago

NPM was acquired 4 years after that post