Comment by Balinares

10 hours ago

As far as I understand, NPM packages are not self-contained like e.g. Python wheels and can (and often need to) run scripts on install.

So just installing a package can get you compromised. If the compromised box contains credentials to update your own packages in NPM, then it's an easy vector for a worm to propagate.

1 comment

Balinares

Reply
magnetometer  8 hours ago

Python wheels don't run arbitrary code on install, but source distributions do. And you can upload both to pypy. So you would have to run

pip install <package> --only-binary :all:

to only install wheels and fail otherwise.