Comment by killerstorm

2 months ago

"Outbound network connection at npm install" is just one of many ways malware in NPM package can manifest itself.

E.g. malware might be executed when you test code which uses the library, or when you run a dev server, or on a deployed web site.

The entire stack is built around trusting a code, letting it do whatever it wants. That's the problem.

1 comment

killerstorm

Reply
utbabya  2 months ago

Trust is hard, it all comes down to trust no matter what you do. The more general idea is sandboxed build, it doesn't eliminate all problems but one class.