Malicious Modules

npm is an open ecosystem, where anyone with an e-mail address can contribute a module to the repository, and in turn, any user with an npm client installed can consume it.

But what makes a module malicious?

Upon requiring it, the module could gather information from your system or network, and send it out to a 3rd party.

Upon installing it, the module could have an install phase, where it will run destructive commands, for example: rm -rf /

By now you’re thinking “but who would consciously install a malicious module?”

Typosquatting — an attack in which malicious modules are named similar to real modules and could accidentally be installed by a user typo, or phishing websites.

report from Snyk.io website for malicious modules submitted to npm

This problem isn’t unique to npm either — it hit both ruby and python as well.

You’re welcome to read a very interesting and detailed research on the subject by Nikolai Tschacher — Typos in package managers — A Bachelors Thesis in Computer Science

Malicious Contributors

A private case of malicious modules is where malicious contributors may send you a PR with a backdoor, or an added project dependency of their own, which is of course malicious.

You might not notice it or code-review, and there you have it — you bundled it straight with your own module.