← Back to context

Comment by tasuki

4 days ago

I don't get this explanation. How does it force you to run the infection code?

Yes, if you depend on an infected package, sure. But then I'd expect not just a list, but a graph outlining which package infected which other package. Overall I don't understand this at all.

3 comments

tasuki

Reply
merelysounds  4 days ago

Look at the diff in the article, it shows the “inject” part: the malicious file is added to the “preinstall” attribute in the package.json.

  • tasuki  4 days ago

    I still don't get it. Like, I understand that if you apply the diff you get infected. But... why would you apply the diff? How would you trick me to apply that diff to my package?

    • theodorejb  4 days ago

      Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.