NPM is very popular / widespread. Typically JS developers run npm install
/yarn install
on dev machines and CI servers many times per day. Modern npm-based project usually brings thousands of packages. There are two types of threats:
- Vulnerable packages targeting runtime of your app - can harvest user data / perform mining etc.
- Vulnerable packages targeting your environment - can harvest ssh keys / auth tokens etc.
Threat #1 can be mitigated by npm audit
/ lockfiles / caches as typically there is some time span between dependency installation and go live.
Threat #2 is more dangerous as it takes place immediately after npm install
is executed.