TTC
Theo's Typesafe Cult5mo ago
Aless

May I have accidentally downloaded a malicious npm package?

today I wanted to try linking my dist folder to npm and I tried npm link dist but that downloaded this package https://www.npmjs.com/package/dist?activeTab=dependencies I've heard about some malicious packages and I got paranoia, does anyone know if I should do something?
npm
dist
a cli tool and library to create development and production versions for the browser. Latest version: 0.1.2, last published: 11 years ago. Start using dist in your project by running npm i dist. There are 28 other projects in the npm registry using dist.
8 Replies
Halu
Halu5mo ago
there are no install or postinstall scripts on it (and deps are popular packages). so you haven't executed anything unexpected ur prob fine, just uninstall it
Aless
Aless5mo ago
Ok, thank you I know dependecied can have scripts too tho
Halu
Halu5mo ago
They are reasonably popular enough i don't think you need worry about it too much you are right tho, it would be nice to have a tool to search packages at depth for such scripts you can search ur node_modules for them tho (assuming the package.json didn't trigger a self-edit) heres some links if you wanna learn a little more about them malicious packages - https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities - https://github.com/npm/npm/issues/17724#issuecomment-314483466 - https://blog.phylum.io/phylum-discovers-npm-package-mathjs-min-contains-discord-token-grabber/ If ur not convinced tho, you can always take up with NPM directly.
If you believe you have identified a dependency confusion package, please let us know!
link prob overkill in this scenario, but i'd never criticize someone for prioritizing their computers security
Aless
Aless5mo ago
Or I could run an antivirus scan first, and change my passwords Resetting my pc would be the safer option but I have school tomorrow and many other stuff to do
T
T5mo ago
Do you have any legitimate reason to believe that this package is malicious? I think you may be overreacting in this particular scenario
Aless
Aless5mo ago
Probably, I have paranoia issues
T
T5mo ago
All that happened is you accidentally installed an npm package from 11 years ago. It looks safe to me. Just old and not particularly useful
Halu
Halu5mo ago
just buy a new computer man, its game over! /s
Want results from more Discord servers?
Add your server
More Posts
T3 Stack with React Native and Multiple NextJS with Turbo & ClerkSo I am building a project that has 3 distinct NextJS applications, 1 react native application. I hat3 app + shadcn/ui, `select` component `className`s aren't passed to DOMi just ran `pnpx shadcn-ui@latest add select` and it added the component. u can see in the image, thnext-auth property 'user' does not exist on type '({ session: Session; user: AdapterUser; }I'm totally lost, keep getting error above when trying to pass user in the parameters for session inIs this tRPC API structure good to go?PlanetScale vs TursoI've been looking into both PlanetScale and Turso recently and wanted to gauge their pros/cons. TursAdd parameters to tRPC ContextI would like to add the parameters of the type `CreateNextContextOptions` to my tRPC context in my tUse React Query + Fetch for file uploadHey there, I'm using Cloudflare's presigned URL to upload files. To upload the file I'm using the feTroubleshooting Slow File Saving in t3 Stack with App Router: Seeking Help and WorkaroundsI'm currently using the t3 stack with App Router, and I've been experiencing significant delays whenHow to style the auth pagesI just started a new t3 stack complete with prisma and nextauth, but am a bit confused as to where tHave I been re-inventing useReducer or Redux?I am relatively new to React. Whenever I am using an array of objects as a state variable, I've been