Note: For obvious reasons, this was never published to npm. The code is old and poorly-tested so please don't consider it anything more than a learning opportunity.
This is a proof-of-concept npm worm.
When this module is installed (npm install pizza-party
) an install script is executed that scans its parent node_modules
directory for other node modules. It then adds the same install script to those modules, versions those modules (bumping the patch version) and attempts to publish them to npm.
It also opens a very important youtube video.
If the user has permission to administer the newly infected modules, they will be published and, eventually, installed by any users listing those modules as dependencies in their projects. They will then try and infect any new peer modules, propagating the install script indefinitely.
- Don't remain logged into npm. Run
npm logout
immediately after administering any of your node modules. - Don't run post install scripts when installing new modules. Use the
--ignore-scripts
flag when installing modules. - Pin your dependencies. Never use
^
or~
in yourpackage.json
manifest. Usenpm shrinkwrap
.