Slightly off-topic, but I bet someone could make a business out of auditing npm packages for malicious or obviously harmful code. Your company can send me the package.lock.json for your app, and I’ll go through and check every single package at a rate of X dollars per thousand lines of code, using a combination of automated tooling and manual review. Every time you do an update, I’ll review the packages and how they’ve changed. Any malicious stuff that I find gets posted publicly in the node security alerts.
Sure, someone could write some really clever code that avoids detection, but you can rest easy knowing that at least one person has looked at that pile of code in your node_modules folder before it was shipped to production.
Wow. It seems painfully obvious that shinnn did this him/herself. Obviously there’s no way of telling for sure, but given the backstory, that’s where I’d put my money.
Slightly off-topic, but I bet someone could make a business out of auditing npm packages for malicious or obviously harmful code. Your company can send me the package.lock.json for your app, and I’ll go through and check every single package at a rate of X dollars per thousand lines of code, using a combination of automated tooling and manual review. Every time you do an update, I’ll review the packages and how they’ve changed. Any malicious stuff that I find gets posted publicly in the node security alerts.
Sure, someone could write some really clever code that avoids detection, but you can rest easy knowing that at least one person has looked at that pile of code in your node_modules folder before it was shipped to production.
Already a business! I know a few companies offering what you suggest: npm itself, GitHub, Snyk…
Dunno if calling this “malicious” is correct, seems a bit of stretch since it is annoying to the author.
It does nothing purely “bad”, it just messes with the people who forced the dude to give away the project.
I’d call it “bad taste prank” or something like that.
Wow. It seems painfully obvious that shinnn did this him/herself. Obviously there’s no way of telling for sure, but given the backstory, that’s where I’d put my money.
Looks like we need a [drama] tag…