Note: For obvious reasons, this was never published to npm. The code is old and poorly-tested so please don't consider it anything more than a learning opportunity.
This is a proof-of-concept npm worm.
When this module is installed (
npm install pizza-party) an install script is executed that scans its parent
node_modules directory for other node modules. It then adds the same install script to those modules, versions those modules (bumping the patch version) and attempts to publish them to npm.
It also opens a very important youtube video.
If the user has permission to administer the newly infected modules, they will be published and, eventually, installed by any users listing those modules as dependencies in their projects. They will then try and infect any new peer modules, propagating the install script indefinitely.
Protecting yourself from npm worms
- Don't remain logged into npm. Run
npm logoutimmediately after administering any of your node modules.
- Don't run post install scripts when installing new modules. Use the
--ignore-scriptsflag when installing modules.
- Pin your dependencies. Never use