3

I had a typo and npm installed something that is similar in name to something very popular -- I was concerned about typosquatting. It's quite plausibly legitimate and just a coincidence. I looked at the corresponding package and didn't see anything wrong, though of course bad things can be hidden.

I use nvm.

I npm installed it and then immediately noticed and rm'd node_modules.

How much damage can be done by just installing, without subsequently "using" it for anything?

I know very little about npm -- does npm allow the installation code to do whatever it wants on a system?

Anders
  • 64,406
  • 24
  • 178
  • 215
user237586
  • 31
  • 1
  • Great question! I think this article might be of interest to you: https://medium.com/@kyle_martin/understanding-and-protecting-against-malicious-npm-package-lifecycle-scripts-8b6129619d7c – Anders Jul 01 '20 at 07:59

2 Answers2

1

Conceptually, installing a package permits running setup scripts which in turn could be leveraged to execute arbitrary code on the system under the privileges of the executing user (hope it wasn't root... though if it was the worst consequence is full compromise of the system). The package may also pull in other packages as dependencies which in turn bring the same level of risk.

If you're concerned, create yourself a sample VM and unpack the package to see what it does. It's uncommon (but has happened!) that signed packages from trusted sources contain malicious code, but you can't be sure until you check.

Pedro
  • 3,911
  • 11
  • 25
0

You have to be careful in the cleanup. The dependancy may have been written to package.json file as well as the package-lock.json meaning it will install every time you run npm install.

Additionally it may have set up git hooks, and you need to check if it ran post and pre install scripts as those can write files to other parts of the project filesystem (or machine filesystem if running as root).

If you want to be certain of what it did, bootstrap a new npm project, install only that dep and run a diff on the filesystem.

As long as you remove everything it wrote (assuming non root here) then you should be fine.

It will also have cached this package in your local npm cache, not serious but if you want to act like this never happened then that needs flushed as well.

TrickyDupes
  • 2,809
  • 1
  • 13
  • 27