Take a look through a package.json file for any packages known to be malicious. Will check both the dependencies
and devDependencies
fields.
Based on this tweet by @nodesecurity https://twitter.com/nodesecurity/status/892775462371381248, there currently exists a hole where users can publish malicious packages intent on stealing environment variables on install.
A quick one liner to check for these packages, accompanied by more detail on the issue, has been posted by Ivan Akulov at https://iamakulov.com/notes/npm-malicious-packages/. This script has been created for all of our friends on an OS that might not be able to run the command listed.
For reference, here is the command
npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"
Copy this script into the folder where your package.json
is located. It can be called anything you like with the extension .js. In this example, I'm going to call it checkMalicious.js
Then it's a case of running the script with node.
node checkMalicious.js
This is a short-term solution until something more robust is put in place by NPM. It's limited in functionality and the list of malicious dependencies is more than likely incomplete.
If there are people who think this is useful, more than happy to extend functionality.