[email protected]: The NPM Package That Delivered the RAT Payload
The vulnerability was exploited via the compromised package, [email protected], which ran a post-install script to deploy the RAT. This incident surfaced during a deep dive into supply chain attacks following compromises hitting npm accounts.
Disagreement centers on fixing the problem. Some users, like esquuero, insist on mandatory controls such as setting `min-release-age=7` and `ignore-scripts=true` in `.npmrc`. Others argue this defense is insufficient; 'techpeakedin1991' questions if disabling scripts stops malware embedded directly in package source code, regardless of lifecycle hooks. Meanwhile, 'TechnoCat' champions `pnpm` for disabling install scripts by default.
The consensus points to tightening package controls as critical. While there is clear disagreement on the completeness of age restrictions versus script disabling, the practical advice centers on adopting stricter package manager settings, specifically implementing age checks or using tools like `pnpm` to limit the blast radius of malicious dependencies.
Key Points
Using pnpm is superior for security.
'TechnoCat' stated pnpm disables install scripts by default, offering superior protection against supply chain attacks.
Mandatory npmrc controls are the baseline fix.
eskuero advised adding `min-release-age=7` and `ignore-scripts=true` to `.npmrc`.
Script disabling is not a total shield.
'techpeakedin1991' questioned if disabling scripts stops execution if malware is coded directly into the source, not the hooks.
The attack vector was specific and traceable.
'TechnoCat' identified [email protected] as the vector that ran the malicious post-install script.
Package age restriction is a valuable layer.
moseschrute suggested setting a minimum age for packages to prevent immediate adoption of malicious new versions.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.