Notified:  February 12, 2016 Updated: March 25, 2016

Status

Affected

Vendor Statement

The lifecycle script feature that the worm relies upon is intrinsic to the operation of npm and many other package managers. We have made a decision balancing security against utility and decided not to disable this feature. Any step short of disabling this feature becomes a cat-and-mouse game of attempting to predict what a given user script will do, which becomes akin to the halting problem. Our real-world mitigation steps are: 1. registry publishing has a kill switch independent of registry installs, so a worm's progress can be instantly halted once identified 2. we can programmatically identify and un-publish, post-hoc, any compromised packages, reverting them to their last good versions Users who are uncomfortable with this decision can disable this feature at the client side with the `ignore-scripts` option, which can be invoked at install time or permanently set with `npm config set ignore-scripts true`.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.