Alert: NPM modules hijacked
EDIT : User @nj48 appears to have no malicious intentions.
With the recent Module liberation there was a malicious activity that was spotted with hijacking the names of the modules.
For example read-json https://github.com/mattdesl/install-if-needed/pull/2.
The "hijacked modules" look like this :
node_modules/dom-classes$ ls -la
total 12
drwxr-xr-x 5 drinchev admin 170 Mar 23 11:59 .
drwxr-xr-x 4 drinchev admin 136 Mar 23 11:59 ..
-rw-r--r-- 1 drinchev admin 1561 Mar 23 11:59 package.json
-rw-r--r-- 1 drinchev admin 3186 Mar 23 01:43 x
-rwxr-xr-x 1 drinchev admin 246 Mar 23 01:45 x.sh
and the content of the files is suspicious
node_modules/dom-classes$ cat x.sh
A="$1"
echo '{
"name": "'"$A"'",
"version": "2.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}' > package.json
npm publish
node_modules/dom-classes$
Since those modules are popular I suggest everyone check their dependencies ( especially on private projects ), before even pass them to their CI.
Some of the modules are published by the user @nj48. You can find the list in the link.
Even though the modules are bumped with a semver major ( will not be installed with ~1.0
in your
package.json ), there is a high chance people upgrade accidentally.