The massive bug at the heart of npm
JS Party: JavaScript, CSS, Web Development
The Impact of NPM on the Tooling World
NPM allows an attacker to hide install scripts or extra dependencies inside of a package. A lot of tools won't show those hidden installations, even though they're going to get installed and run. And so it really gives an attacker really like a pretty powerful tool to hide some of the stuff they might be up to. So this is where you can start to see there might be an here in fact that there's actually a difference between the metadata that's being published separately from the actual tarball.
00:00
Transcript
Play full episode
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
