Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



4 Commits

Repository files navigation


Note: For obvious reasons, this was never published to npm. The code is old and poorly-tested so please don't consider it anything more than a learning opportunity.

This is a proof-of-concept npm worm.

When this module is installed (npm install pizza-party) an install script is executed that scans its parent node_modules directory for other node modules. It then adds the same install script to those modules, versions those modules (bumping the patch version) and attempts to publish them to npm.

It also opens a very important youtube video.

If the user has permission to administer the newly infected modules, they will be published and, eventually, installed by any users listing those modules as dependencies in their projects. They will then try and infect any new peer modules, propagating the install script indefinitely.

Protecting yourself from npm worms

  • Don't remain logged into npm. Run npm logout immediately after administering any of your node modules.
  • Don't run post install scripts when installing new modules. Use the --ignore-scripts flag when installing modules.
  • Pin your dependencies. Never use ^ or ~ in your package.json manifest. Use npm shrinkwrap.


No releases published


No packages published