Well, maybe it’s not Pet Cemetary or The Shining, and I lied, it’s not actually written by Stephen King. But the article I’m harvesting credit card numbers and passwords from your site. Here’s how. by David Gilbertson has proven just as scary for a lot of people.
In it, the author details how he could set about getting malware onto dozens, perhaps hundreds of sites via the attack vector of a seemingly harmless minor package which he attempts to add to other open source NPM packages as a dependency.
He paints a pretty good picture of what he might want to do, how to do it, and even how to evade the most common protections against such a thing.
If you’re doing front-end work with JS and you’re including NPM packages (pretty common for React and Angular developers) then this fairly short read is worth your time.