Here’s all the information I’ve found.

💻☠️🏴

People found malicious packages in npm that work like real ones, are named similarly real ones, but collect and send your process environment to a third-party server when you install them:

@kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx — Oscar Bolmsten (@o_cee) August 1, 2017

This is dangerous because, on CI servers, the environment usually includes different secret tokens.

What to do if I’m a user?#

Regenerate the secret tokens if you installed any package from these as a dependency:

A screenshot of the cached page with packages npm has also confirmed this list babelcli - v1.0.1 - Babel CLI for Nodejs crossenv - v6.1.1 - Run scripts that set and use environment variables across platforms cross-env.js - v5.0.1 d3.js - v1.0.1 - d3.js for Nodejs fabric-js - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. ffmepg - v0.0.1 - FFmpeg for Nodejs gruntcli - v1.0.1 - Grunt CLI for Nodejs http-proxy.js - v0.11.3 - Node.js proxy tools jquery.js - v3.2.2-pre - jquery.js for Nodejs mariadb - v2.13.0 - A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed. mongose - v4.11.3 - Mongoose MongoDB ODM mssql.js - v4.0.5 - Microsoft SQL Server client for Node.js. mssql-node - v4.0.5 - Microsoft SQL Server client for Node.js. mysqljs - v2.13.0 - A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed. nodecaffe - v0.0.1 - caffe for Nodejs nodefabric - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. node-fabric - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. nodeffmpeg - v0.0.1 - FFmpeg for Nodejs nodemailer-js - v4.0.1 - Easy as cake e-mail sending from your Node.js applications nodemailer.js - v4.0.1 - Easy as cake e-mail sending from your Node.js applications nodemssql - v4.0.5 - Microsoft SQL Server client for Node.js. node-opencv - v1.0.1 - OpenCV for Nodejs node-opensl - v1.0.1 - OpenSSL for Nodejs node-openssl - v1.0.1 - OpenSSL for Nodejs noderequest - v2.81.0 - Simplified HTTP request client. nodesass - v4.5.3 - Wrapper around libsass nodesqlite - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API node-sqlite - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API node-tkinter - v1.0.1 - Tkinter for Nodejs opencv.js - v1.0.1 - OpenCV for Nodejs openssl.js - v1.0.1 - OpenSSL for Nodejs proxy.js - v0.11.3 - Node.js proxy tools shadowsock - v2.0.1 - A tunnel proxy that help you get through firewalls smb - v1.5.1 - A Pure JavaScript SMB Server Implementation sqlite.js - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API sqliter - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API sqlserver - v4.0.5 - Microsoft SQL Server client for Node.js. tkinter - v1.0.1 - Tkinter for Nodejs

Here’s also a one-liner that will list these packages if any of them was installed as a dependency:

Always check the name of packages you’re installing. You can look at the downloads number: if a package is popular but the downloads number is low, something is wrong.

What to do if I’m a library developer?#

I see two options:

Use scopes ( @scope/package-name ) for your packages. With scopes, it’s harder to install a wrong package accidentally: a user would have to misspell both the scope name and the package name. Unfortunately, it’s not: it’s enough to misspell just the scope name (e.g @babel/babel-cli → @bable/babel-cli ). Scopes might help a bit because they can have a simple name that’s harder to misspell, but it’s still not a universal solution.

) for your packages. Unfortunately, it’s not: it’s enough to misspell just the scope name (e.g → ). Scopes might help a bit because they can have a simple name that’s harder to misspell, but it’s still not a universal solution. Take the most common misspellings of your packages by yourself. Think of the most common misspellings and publish empty packages under these names. You can also warn users about the right name with npm deprecate .

Is this even OK?#

This isn’t surprising – npm doesn’t have any protection against this yet. In fact, that’s why there could be other malicious packages. Stay careful and check package names.

npm is working on a solution though:

I'm working on a thing that uses quality metrics and prompts users. It would probably catch just about everything folks have brought up — 多分◯ちゃんよね🕵🏼‍♀️ (@maybekatz) August 1, 2017

You can also participate in the Yarn’s discussion about a white list for preinstall / postinstall script packages.

Related