npm Information for VU#319816

npm fails to restrict the actions of malicious npm packages

Status

Affected

Vendor Statement

The lifecycle script feature that the worm relies upon is intrinsic to the
operation of npm and many other package managers. We have made a decision
balancing security against utility and decided not to disable this feature.
Any step short of disabling this feature becomes a cat-and-mouse game of
attempting to predict what a given user script will do, which becomes akin
to the halting problem.

Our real-world mitigation steps are:
1. registry publishing has a kill switch independent of registry installs,
so a worm's progress can be instantly halted once identified
2. we can programmatically identify and un-publish, post-hoc, any
compromised packages, reverting them to their last good versions

Users who are uncomfortable with this decision can disable this feature at
the client side with the `ignore-scripts` option, which can be invoked at
install time or permanently set with `npm config set ignore-scripts true`.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.