May I have accidentally downloaded a malicious npm package?
today I wanted to try linking my dist folder to npm and I tried
npm link dist
but that downloaded this package
https://www.npmjs.com/package/dist?activeTab=dependencies
I've heard about some malicious packages and I got paranoia, does anyone know if I should do something?npm
dist
a cli tool and library to create development and production versions for the browser. Latest version: 0.1.2, last published: 11 years ago. Start using dist in your project by running
npm i dist
. There are 28 other projects in the npm registry using dist.8 Replies
there are no install or postinstall scripts on it (and deps are popular packages). so you haven't executed anything unexpected
ur prob fine, just uninstall it
Ok, thank you
I know dependecied can have scripts too tho
They are reasonably popular enough i don't think you need worry about it too much
you are right tho, it would be nice to have a tool to search packages at depth for such scripts
you can search ur node_modules for them tho (assuming the package.json didn't trigger a self-edit)
heres some links if you wanna learn a little more about them malicious packages
- https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
- https://github.com/npm/npm/issues/17724#issuecomment-314483466
- https://blog.phylum.io/phylum-discovers-npm-package-mathjs-min-contains-discord-token-grabber/
If ur not convinced tho, you can always take up with NPM directly.
If you believe you have identified a dependency confusion package, please let us know!link prob overkill in this scenario, but i'd never criticize someone for prioritizing their computers security
Or I could run an antivirus scan first, and change my passwords
Resetting my pc would be the safer option but I have school tomorrow and many other stuff to do
Do you have any legitimate reason to believe that this package is malicious? I think you may be overreacting in this particular scenario
Probably, I have paranoia issues
All that happened is you accidentally installed an npm package from 11 years ago. It looks safe to me. Just old and not particularly useful
just buy a new computer man, its game over!
/s