Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

pizza-party

Note: For obvious reasons, this was never published to npm. The code is old and poorly-tested so please don't consider it anything more than a learning opportunity.

This is a proof-of-concept npm worm.

When this module is installed (npm install pizza-party) an install script is executed that scans its parent node_modules directory for other node modules. It then adds the same install script to those modules, versions those modules (bumping the patch version) and attempts to publish them to npm.

It also opens a very important youtube video.

If the user has permission to administer the newly infected modules, they will be published and, eventually, installed by any users listing those modules as dependencies in their projects. They will then try and infect any new peer modules, propagating the install script indefinitely.

Protecting yourself from npm worms

  • Don't remain logged into npm. Run npm logout immediately after administering any of your node modules.
  • Don't run post install scripts when installing new modules. Use the --ignore-scripts flag when installing modules.
  • Pin your dependencies. Never use ^ or ~ in your package.json manifest. Use npm shrinkwrap.

About

Proof-of-concept npm worm

Resources

License

Releases

No releases published

Packages

No packages published