JavaScript registry NPM vulnerable to 'manifest confusion' abuse

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
hardware-buttons linkedin-bot template-engine-js

Civic Auth - Auth in Less Than 5 Minutes
Civic Auth comes with multiple SSO options, optional embedded wallets, and user management — all implemented with just a few lines of code. Start building today.
www.civic.com
featured
CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured

  1. steal-ur-stuff

    Steal Ur Stuff

    I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff

    It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724

  2. Civic Auth

    Auth in Less Than 5 Minutes. Civic Auth comes with multiple SSO options, optional embedded wallets, and user management — all implemented with just a few lines of code. Start building today.

    Civic Auth logo

  3. npm

    I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff

    It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724

  4. npm-lint

    A linter for npm & node package.json files with a focus on dependency security

    That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.

    This is not a new problem, you just have another vector.

    I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.

    https://github.com/tanepiper/npm-lint

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Dissecting Npm Malware: Five Packages And Their Evil Install Scripts

    4 projects | /r/javascript | 18 Apr 2023

  • npm package to upload your private ssh keys to a pastebin

    3 projects | /r/javascript | 18 Mar 2022

  • PNPM CI Builds fail currently due to Signature Mismatch

    1 project | news.ycombinator.com | 3 Feb 2025

  • How I Manage Node & Package Manager Versions in 2025

    6 projects | dev.to | 22 Jan 2025

  • Show HN: Most votes on a GitHub issue I've seen (yarnpkg)

    1 project | news.ycombinator.com | 26 Jun 2024

Did you know that JavaScript is
the 3rd most popular programming language
based on number of references?

Loading...