Stephen King's New Novel - NPM Packages as Security Holes

Well, maybe it’s not Pet Cemetary or The Shining, and I lied, it’s not actually written by Stephen King. But the article I’m harvesting credit card numbers and passwords from your site. Here’s how. by David Gilbertson has proven just as scary for a lot of people.

In it, the author details how he could set about getting malware onto dozens, perhaps hundreds of sites via the attack vector of a seemingly harmless minor package which he attempts to add to other open source NPM packages as a dependency.

He paints a pretty good picture of what he might want to do, how to do it, and even how to evade the most common protections against such a thing.

If you’re doing front-end work with JS and you’re including NPM packages (pretty common for React and Angular developers) then this fairly short read is worth your time.

John Munsch avatar
About John Munsch
John Munsch is a professional software developer who works exclusively in JavaScript after years of working in the Java, C++, and C world. He's much happier now.