Take a look through a package.json file for any packages known to be malicious. Will check both the dependencies
and devDependencies
fields.
Based on this tweet by @nodesecurity https://twitter.com/nodesecurity/status/892775462371381248, there currently exists a hole where users can publish malicious packages intent on stealing environment variables on install.
A quick one liner to check for these packages, accompanied by more detail on the issue, has been posted by Ivan Akulov at https://iamakulov.com/notes/npm-malicious-packages/. This script has been created for all of our friends on an OS that might not be able to run the command listed.