npm Information for VU#319816
npm fails to restrict the actions of malicious npm packages
- Vendor Information Help Date Notified: 11 Feb 2016
- Statement Date:
- Date Updated: 25 Mar 2016
The lifecycle script feature that the worm relies upon is intrinsic to the
operation of npm and many other package managers. We have made a decision
balancing security against utility and decided not to disable this feature.
Any step short of disabling this feature becomes a cat-and-mouse game of
attempting to predict what a given user script will do, which becomes akin
to the halting problem.
Our real-world mitigation steps are:
1. registry publishing has a kill switch independent of registry installs,
so a worm's progress can be instantly halted once identified
2. we can programmatically identify and un-publish, post-hoc, any
compromised packages, reverting them to their last good versions
Users who are uncomfortable with this decision can disable this feature at
the client side with the `ignore-scripts` option, which can be invoked at
install time or permanently set with `npm config set ignore-scripts true`.
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.