Show HN: npm install actual-malware

This is a clever way to raise important issues in security of package managers, but I can&#x27;t find support for your claim that NPM doesn&#x27;t let you report malware. A cursory google search brought me this: <a href="https:&#x2F;&#x2F;docs.npmjs.com&#x2F;reporting-malware-in-an-npm-package" rel="nofollow">https:&#x2F;&#x2F;docs.npmjs.com&#x2F;reporting-malware-in-an-npm-package</a><p>And I confirmed that that button is indeed available on packages with a link that goes to eg <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;support?inquire=security&amp;security-inquire=malware&amp;package=left-pad&amp;version=1.3.0" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;support?inquire=security&amp;security-inqu...</a><p>What functionality was removed?

Yep I&#x27;ve been trying to get our company to pay more attention to it. It&#x27;s not just nodejs. All the new hipster languages pull in whatever they can grab. Python, golang, Ruby..<p>A lot of this stuff is submitted by random people that have no verified credibility. It&#x27;s really worrying. I&#x27;m sure it&#x27;ll take another major incident though before we&#x27;ll really pay attention to it. Like wanna cry&#x2F;notpetya did for SMBv1. Because the devs don&#x27;t want any mitigations, it&#x27;ll make their work more difficult.

&gt; Put passphrases on all your private keys. If you&#x27;re a package maintainer then stay logged-out of your accounts on npm, github, etc, at least in the CLI.<p>Doesn&#x27;t help when burglar is already in your house.

I get npm, but is it that realistic that yum will pull down a virus? If yum could be infected, then you are either pulling down obscure packages or using a 3rd party repository. If a mainstream package could get infected, it’s just as likely to end up in the base image that you started with (ISO, docker container, etc).

This is why it&#x27;s important to use containers for development - or at least SELinux on your development host machine.<p>Simply restrict file access of npm to its cache folders, so it cannot access your other user configuration files.<p>Use additionally a host firewall like opensnitch to block npm from any other host than npmjs.com.

&gt; Can&#x27;t this be detected? Not really.<p>Contrary to OP belief, there are tools that claim to detect such malicious packages. I wonder how effective they are.