====== NPM is the devil ====== NPM actually stands for //Network Pwn Manager//, so it's designed to give your IT network AIDS. You can search for security violations here: * [[https://npms.io|NPMs]] – A better and open source search for node malware. * [[https://www.npmjs.com|NPM.js]] – They're npm, Inc., the company behind the Node malware manager, the npm Malware Registry, and npm backdoor CLI. They offer those to the community for free, but our day job is building and selling useful backdoors for governments and megacorps. ===== Security/Data breaches ===== ==== July 12 ==== >Early in the morning of July 12 [2018], an individual gained access to an npm publisher’s account and used this access to publish an unauthorized update of a popular package. The update included malicious code that would have attempted to access the accounts of additional npm users by obtaining these accounts’ access tokens. ([[https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of|Incident report: npm, Inc. operations incident of July 12, 2018]]) ==== crossenv ==== >On July 19 [2017] a user named hacktask published a number of packages with names very similar to some popular npm packages. We refer to this practice as “typo-squatting”. In the past, it’s been mostly accidental. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. This time, the package naming was both deliberate and malicious—the intent was to collect useful data from tricked users. ([[https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry|`crossenv` malware on the npm registry]]) ===== Breaches of Trust ===== ==== kik ==== > […] JavaScript developers around the world crying out in frustration as hundreds of projects suddenly stopped working—their code failing because of broken dependencies on modules that a developer removed from the repository over a policy dispute. ([[https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/|Rage-quit: Coder unpublished 17 lines of JavaScript and “broke the Internet” – ArsTechnica, 2016-03]]) >When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it. After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me. @izs accepted to change the ownership of this module, without my permission. ([[http://azer.bike/journal/i-ve-just-liberated-my-modules/|I've just liberated my modules – azer.bike]]) ===== Downtime ===== ==== 418 I'm a teapot ==== > Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. ([[https://www.bleepingcomputer.com/news/technology/npm-fails-worldwide-with-err-418-im-a-teapot-error/|NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error]]) ===== Articles ===== * [[https://medium.com/@caspervonb/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068|The Node.js Ecosystem Is Chaotic and Insecure]] ===== FAQ ===== ==== Should I use npm? ==== **no.**