Proof-of-concept npm worm
JavaScript
Latest commit b181094 Apr 27, 2016 @contolini Merge pull request #2 from jesusprubio/master
Avoiding a break if the script field not present.
Permalink
Failed to load latest commit information.
.gitignore
LICENSE
README.md
index.js
package.json

README.md

pizza-party

Note: For obvious reasons, this was never published to npm. The code is old and poorly-tested so please don't consider it anything more than a learning opportunity.

This is a proof-of-concept npm worm.

When this module is installed (npm install pizza-party) an install script is executed that scans its parent node_modules directory for other node modules. It then adds the same install script to those modules, versions those modules (bumping the patch version) and attempts to publish them to npm.

It also opens a very important youtube video.

If the user has permission to administer the newly infected modules, they will be published and, eventually, installed by any users listing those modules as dependencies in their projects. They will then try and infect any new peer modules, propagating the install script indefinitely.

Protecting yourself from npm worms

  • Don't remain logged into npm. Run npm logout immediately after administering any of your node modules.
  • Don't run post install scripts when installing new modules. Use the --ignore-scripts flag when installing modules.
  • Pin your dependencies. Never use ^ or ~ in your package.json manifest. Use npm shrinkwrap.