Hacker News new | past | comments | ask | show | jobs | submit login

The post install script can be like any other script the user can run. There's no sandboxing so it can access anything the running user can access. So essentially, yes, it could infect any other module in there. I believe it could even run an "npm publish", which is pretty scary.



Even worse, `scp` the `~/.ssh/id_rsa` private key and known hosts file. The attack vector went tenfold.


The recent NPM situation was a real eye opener for me. I never gave much thought to the attack vectors involoving package managers.

> The post install script can be like any other script the user can run. There's no sandboxing so it can access anything the running user can access.

Wow. This just seems wrong that the script has such far reaching privileges.


Considering node.js is able to spawn subshells and execute whatever code it wants when running, install scripts pose no additional threat to just running the javascript.


The changes a package install makes ought to be limited to the source files within its subdirectory (and perhaps some precompiled binaries). I don't quite expect it to be installing rootkits, and the principle of least privilege dictates that it should not be allowed to.

Once the package is installed, it is already too late for a code review, or any mitigation. A well-written worm will never be detected.

It is unexpectedly bad design (or, in case of the JavaScript community, an expectedly bad design).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: