That's helpful to prevent individual secret harvesting, however it does not protect you from potential silent downstream effects in packages. i.e. inclusion of malicious code in libraries you depend on, this could be as simple as inserting a cryptominer, or as severe as data exfil in a front end package.

This default can affect all consumers of NPM packages, regardless of whether you use yarn, pnpm or npm itself, because most package maintainers use NPM. This is why it's NPM's responsibility to change this default in order to prevent spread of malware in packages.

It's the general ecosystem.

There's not a word in the English language that really expresses how absolutely stupid the npm ecosystem is and the developers that perpetuate it by importing a package rather than writing 5 lines of code.

npm can execute code after install and most package managers don't do that

Yep.

1. Every day there's a new package.

2. Then five more packages appear so you don't have to write that one terrifying line of JavaScript yourself.

3. Then someone writes a wrapper around those five packages.

4. Then someone writes a "modern, lightweight, zero-config" wrapper around the wrapper.

5. Then a framework adopts it, a build tool requires it, and suddenly your todo app has a dependency graph that looks like international diplomacy.

6. Out of 100 devs building the same product, there are now 300 different dependency combinations, all somehow involving 'left-pad' spiritually if not literally.

7. Half the packages are maintained by one person, unpaid, at 2 a.m., after getting yelled at in GitHub issues.

8. The other half were abandoned three years ago but still have 40 million weekly downloads because removing them would break civilization.

9. Pinning dependencies sounds nice until the ecosystem tells you, "sorry, this package only works with Node 22, this plugin needs Node 18, and this transitive dependency has discovered ESM enlightenment."

10. So everyone lives on the bleeding edge, except nobody agrees where the edge is, and the bleeding part is very real.

So yeah, npm is not uniquely cursed because JavaScript devs are worse. It's cursed because it turned code reuse into a lifestyle, dependency trees into rainforests, and 'npm install' into an act of faith.

No. NPM's not particularly bad at all tbh.

I wonder if the only thing that will solve this is an insurer or regulator saying that: "A system that automatically pulls updates for dependencies without human review, where said updates are not protected by multi-factor authentication by their respective maintainers, shall not be considered secure."

That would wake NPM up at least to the notion that it's absolutely reasonable to require OSS maintainers to press a button on their phones when releases go out, and that's a good thing not a bad thing.

The core problem is companies skimping on maintenance.

They don’t want to pay engineers to do the analysis manually, and they don’t want to pay for someone to figure out a better automated system.

Would anyone be surprised at their car having problems if they cheaped out on oil changes?

Yes, and the problem here is that most projects have automated systems that automatically update those lockfiles on every upstream release of a library, under an assumption that minor releases are either security patches or bugfixes that would immediately be useful to the consuming project.

IMO this is built on a pre-ShaiHulud, pre-AI set of assumptions, and should be evaluated from first principles with today's security situation.

https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-...

I'm imagining an influence campaign where someone weaponizes targeted advertising and recommendation engines against Mr. Trusted Maintainer, so that it's a The Truman Show effect, where the background of their entire digital bubble pushing the idea that they need retire and delegate.

Things on my workstation that the container does not have access to: browser cookies, 1Password cli, SSH keys (even if I allow the SSH agent socket), cargo publish tokens (unless it’s a rust project), npm tokens (unless it’s an npm project), and not to mention anything relating to my other clients (don’t compromise my employer when I vibe install some dep for a random side project).

On my personal machine, I run OpenSnitch. Much better defense against data exfil if you reject outbound connections to unexpected/unwanted hosts.

For credential stealing, that is true, but at least it would protect your local machine. But I just read these worms also try container escape ...

Watertight subdivision in a ship doesn't promise: "there'll never ever be water in this ship". It says: "If there's water in this ship due to one hole, it'll stay in one compartment". Note that I said one hole: you have the titanic, many compartment gets holes, that one ship is still going to sink.

(btw that the Titanic sunk is not an excuse not to secure other ships. And it did save a great many other ships to have watertight subdivision.)

So... Although there are exploits escaping containers and VMs and then bad guys doing lateral moves across machines, you still want defense in depth.

From CI pipelines with pinned package versions and OIDC instead of permanent secrets limited, least privileges.

AWS has CLIs and SDKs in many languages.

Much came after Deno added them. I don't know what will happen to Deno, but I am glad they showed the Node world than life can be a little more pleasant

> Do any language standard libraries have a "3 hours ago" formatter? Thats what timeago.js does

There's also a platform feature for that now: Intl.RelativeTimeFormat: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

It asks you to do the basic time math to determine your granularity so there's still a role for a library, but also that time math gets easier with Temporal: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

(Specifically `Temporal.Now.instant().since(somePastInstant)` returns a Temporal.Duration that you can relatively easily determine the highest granularity you want and pass that to an Intl.RelativeTimeFormat instance. Also Intl.DurationFormat which is what a Temporal.Duration's `toLocaleString()` uses may also be good enough in many "x hours ago" type situations, though it is over-precise for them.)

> Despite what some people will tell you (including many in the security indistry), Docker is not a strong security boundary, and it should not be treated as one. It shares a kernel with the running system.

Solaris Zones and FreeBSD Jails (their inspiration) also share a kernel with the running system and do not seem to have as many escape vulnerabilities.

(Though partly because there may not be as much scrutiny of course.)

I've been toying with using Jart's Blink, the "tiniest x86-64-linux emulator". If it were hardened against attacks by a smart community, it seems really attractive...

Then I've been toying with using WASM, with a strictly limited API surface... (API stands for what, "Attack, Please, Infiltrators"?)

I'd really love to make a service which can run "untrusted" code... I want this to exist. I want it to feel like the Sandstorm.io marketplace, and to use Tailscale or something like it... and then to make "Facebook but only for friends or friends-of-friends." No public figures. No random people or ads in my feeds. Just friends. And then other similar apps - mail, discord, etc. Don't let it make outbound HTTP connections. Don't let it access local filesystem, other than assets that were bundled with it. Give it a SQLite API... And let it handle inbound HTTP, REST, WebSocket requests... And use gRPC over Tailscale to only talk directly to approved contacts...

Thoughts? How to run untrusted code safely?

I tried using Firecracker and gVisor... But I'm dissatisfied with them. I was trying to make it easy for someone to download and run my service... But Firecracker and gVisor don't at all feel like "libraries that install cleanly." They feel more like, if you're enterprise scale, you can hire someone to make sure Firecracker and gVisor work the way you want... Maybe I'm just not trying hard enough... Maybe using WSL2 on Windows 11 is just asking for trouble. I tried several different ways to run Linux on Windows, and none of them seemed very happy, when I tried to add Firecracker / gVisor.

Docker is a lot more than just an unprivileged user. In particular, it comes with a seccomp filter. A lot of LPEs are blocked by that filter. Docker is actually a quite decent security boundary - in this case the attackers did not attempt to subvert docker by attacking the kernel attack surface, they attacked a weak configuration via the docker socket being mounted.

The reason you don't use a "grown up VM" is because it's significantly more difficult. Which VM? Firecracker requires KVM and a guest operating system - so how are you getting things in and out in a way that doesn't violate security? That's real work.

gVisor is great and my recommendation, certainly, but the difference between "nothing" and "docker" is actually pretty huge imo.

Only works if the Docker socket is mounted which is pretty stupid thing to do and also not something you would do in a "frontend" container. Essentially is like having a password-less ssh

> the good old days when people would hand out low privilege Linux accounts and rely on the kernel to prevent privilige escalation.

... Did that actually stop?

... Is that not the purpose of being able to make multiple accounts (even on a random desktop or laptop system) and restrict their privileges?

Yeah because I'd rather trade one kernel surface for another.

[dead]

Or mount it read-only if you do, like for Traefik.

Worth noting that cgroups (kernel feature underlying containers) is "something more like jails or zones". Actually it is "something exactly like jails or zones".

Unprivileged LXCs get pretty close. Less unified design wise but on some aspects better - kernel escape doesn’t land you on a 0 UID

That's the direction container runtimes are trending

Amazon has been doing it with Firecracker for a while and Kata containers is another popular one

https://github.com/firecracker-microvm/firecracker

https://github.com/kata-containers/kata-containers

> Why not run a proper virtual machine?

Extra 'overhead' and heaviness (perceived or real).

I dunno, why own a car when you could ride your bike instead? They’re just different things and people may choose to use one over the other for a variety of reasons.

The joys of running podman/docker on macOS: you can't help but run it in a hypervisor.

The docker CLI tool is normally executed with user privileges, but there's dockerd, a daemon running as root that actually does the container execution.

> Aren't most people running docker rootless (at least on Linux)? Does podman do more?

In the HPC space Apptainer (previously "Singularity") was created precisely due to (multi-)user-level access, especially with the use of NFS.

I'd guess that most people who run Docker on linux install it through their distro's package manager, which has a dockerd running as root.

On Debian derivatives, you need some kind of extra privs to even talk to it (being a member of the "docker" group, iirc).

docker service that sets up containers runs as root. podman does away with that service.

There's also Mr. Toad's Wild Ride at Disney parks, https://en.wikipedia.org/wiki/Mr._Toad%27s_Wild_Ride

People who were born when this meme was current are 13 years old today. Time sucks. Time really sucks.

1. the supply chain attacks I've seen are naive. They just leverage postinstall hooks. Malicious code also needs to be executed, not simply installed, so it's a lot less likely that an exploit would happen compared to postinstall since it can't just be buried in a transitive.

2. aube does the same. This is an extra level of protection if you've already whitelisted a package

Because there is a time and effort cost to swap over to another framework/runtime even if it brings benefits, and security is always considered "good for now" unfortunately.

That is what made Bun popular, and tools like uv/pip, oxlint/eslint, orbstack/docker desktop, and the list goes on. Drop-in replacements where we get 10x with little effort.

Because employers don't tend towards security. In fact, many actively punish somebody for "sandbagging" or simply taking too long if they even suggest a security concern.

What is dino?

NPM is an easy target because every package has the capability of interacting with your development environment by default, via pre/post-install scripts. Cargo has something similar with build.rs scripts, as does Cabal (Haskell).

In JVM-land, thanks to binary distribution being the default, the number of packages you can usurp to achieve the same compromise is fairly small; essentially Maven and Gradle plugins. Which is why you should be extremely wary when, say, Sentry tells you to add them as a dependency by setting up their Gradle plugin. Not sure about sbt. Clojure source dependencies can provide "prep" scripts, which are not automatically run as part of a build, but still execute code on your machine.

There's a pattern here: some build tools incorporate dependency-provided code as part of the consumer project's build, and that is a juicy attack surface. Packages which include such code, or are recently updated to include it, should be treated with extra scrutiny.

And now, vibe-coding is just gonna take this to a whole another level.

Want to.. but I'll need to first integrate social-media and forum scanning in my tool. Haven't done that yet.

But, it's a good feature to have.

Thanks.. gonna integrate now :)

yep... fixed it in new version. Thanks for mentioning.

On that machine there's Claude's authentication for my account so I can run Claude on it, a public key so I can SSH to the box, and a private key for GitHub access.

Sorry for my ignorance, but then couldn't we build this into NPM itself? So before a package is publicly available it would be quaranteened and checked.

There are prompt guard classifiers that can detect prompt injections, but they are not perfect (false positives, obfuscation) and should be only a part of the defense.

The concern is real and unsolved. I think security researchers have an advantage here because they still can fall back to manual audits if their automated analysis (or scores thereof) is off.

JS programmers today are the PHP programmers of 25 years ago. Remember how many SQL injection bugs there was at the time? Little Bobby Tables remembers.

The standards haven't changed; for the vast majority of JS programmers, this is their first programming language and they have no solid foundation of architecture and security.

So what you get are these overly enthusiastic newbies that want to share their latest achievement with the world (say, a function to left pad a string), and why not include a fancy post-install script with emojis that makes adoption even simpler for other complete noobs? And this is the result.

I came from systems programming, so I think half of what happens in JS is nuts.

Hardly a factor when you're (deliberately) months behind.

Not likely to be a major risk if you update every few months, to some major version that's already over a month old.

I would imagine it's the opposite. Most dev's machines can't query the prod database, for example, whereas a prod server can.

Only the frontend, which is already untrusted. Any risk would be restricted to individual users who used the compromised frontend to communicate something sensitive, and while that's not great, it is significantly better than the backend being compromised. A very significant reduction in blast radius.

Funnily enough, I don't actually think I do serve third party JS, though. Don't serve ads, don't use external telemetry, don't use JS CDNs. I don't think you have to go quite as far as I do, though - I imagine if your ads are Google AdSense or something, you're probably going to be fine.

> Made me wonder why the packages even need build scripts

As the name implies it's for building stuff. Most (all?) packages that use C++ FFI with node-gyp need it. A popular package that needs it is re2.

Many newer packages bundle prebuilt native code as transitive dependencies, so build scripts are less needed than before.

> Made me wonder why the packages even need build scripts.

Historically it was to accommodate packages like the original SASS compiler:

https://sass-lang.com/ruby-sass/

Other times it was to avoid shipping binaries due to, erm, safety concerns. The package would include code in a different language, which in turn would compile into a binary library or executable.

If postinstall scripts are restricted the people behind these attacks will switch to something else. Package code is executed automatically by Node when imported, which could be a good replacement. It'll probably run when tests run instead but it's still going to run for most people.

Accidental true leadership

Shoplifting isn't a national security matter.

Compared to what?

I’m not convinced.

My understanding is that the problem is more that calling in the heavy artillery for what amounts to an annoyance, and maybe some financial harm, is generally considered impolite, even among nations that have conflicting worldviews.

perfect capitalism writ technology

Pinning the version also avoids the risk of accidentally introducing new vulnerabilities while reimplementing the package yourself.

Not to support the GPs choices (they are not mine) but pinned dependencies can get grumpy over time with endless LTS migrations.

... Deno and Bun manage packages? I thought they were just runtimes.

They will once they figure out how to charge for it (which GitHub is trying according to the security scanning banner they keep showing me).

Why would a corporate company actually demonstrate responsibility and ethicality in its use of the open source commons from which it extracts every last penny and dollar?

Edit: a more suitable strategy is to do the minimal necessary actions for appearance purposes only, as its how to focus and optimize on its interest for revenue for its shareholders.

They can and do indeed detect those attacks, it's just from Microsoft's POV a feature of Microsoft Defender (on Windows and Cloud) they sell:

https://www.microsoft.com/en-us/security/blog/2025/12/09/sha...

https://azure.microsoft.com/en-us/pricing/details/defender-f...

So this is presumably why they will never address this in npm itself.

Do you know if they are using any product like JFrog for this or rolling their own?

If your company not running an internal proxy at minimum you're stupid - you have no audit function for what libraries are being pulled.

Yeah, I agree, but then you are at the mercy of whatever vulnerability is found in the current version(s). It just feels like a lose-lose situation no matter what you do.

Akshully, "Node Packaged Malware."

should be a meme

How many other languages of any kind have a standard library that is so bizarrely lacking as JS?

Now how many other mainstream languages of any kind have a standard library that is so lacking?

Now how many other mainstream languages have a swathe of front-end developers that suddenly realised they can run code in a CLI or on a server, and spent exactly 0 minutes learning about how to make it not shit?

Now how many other languages get used in scenarios where it makes absolutely zero sense because the developer only knows javascript?

I last added a new dependency to a large project I work on a couple of years ago. So no, not all ecosystems are the same.

The culture makes a difference.

The analogy in npm is dependency proliferation, along with what appears to be weaker community norms around security. To the extent that either or both of these are true, I think the “no way to prevent this” quip is essentially accurate.

Oh?

Edit: please explain. What other community has this rate of attacks? It's possible they are just detected or publicized less, too. Please help me understand what you're referring to.

I initially read this to mean NPM has a pro-concealed-carry policy, which I don't think it does and I don't think is what you meant.

But... Node's culture does not reward "rational" policies with respect to dependency management in the same way that the US does not reward "rational" policies with respect to gun control *. But US gun control policy is a reflection of the "will of the electorate" -- i.e. there are a lot of Americans who want (or need) to own firearms. In the same way, NPM reflects the culture of high-speed, sili-valley web-devs.

I mention both not to criticize, but to comment it's not the tool that's at fault here, but the users who demanded it evolve the way it did. We moved fast. We broke things. And some of the things that remained broken were sociological: It's easy enough to add PGP/GPG signatures on packages, but whom do you trust? What is the meaning of a signature? Does it mean the signer warrants the package/version is free from defects?

NPM is working as designed. Users wanted the software construction equivalent of a loaded revolver. But we got something that was a bit more like a nuclear weapon with a large blast radius. At least the revolver user would more-likely only shoot their own feet six times (or twelve if they reload.)

[*] I'm trying very hard not to start a flame-war about gun control, I only mean to point out dependency management in node can be as contentious in it's domain as gun control policy is in the domain of US politics. Note that I am not making a pro or con argument about gun control, but only pointing out the issue exists. The word "rational" is intentionally chosen to reflect the fact that people's opinions on gun control and package management are often based on personal, often emotional beliefs (which should not be dismissed.)*

> Yeah funny, but npm is not the only development community where this regularly happens.

What are the other ones? Does this happen with the same sort of frequency?

> npm is not the only development community where this regularly happens

That is like people defending IIS in the early days by pointing out that Apache occasionally had security problems too. Or, back to the gun control analogy people saying “gun control didn't stop Bondi Beach, did it?” or pointing out [incorrectly]⁴ that everywhere that has gun control has knife crime⁴ instead.

> because there is a very clear and obvious reason why … . This doesn't apply for npm.

I disagree. There are a number of reasons that stack together, the four that spring to the top of my head being:

1. Numbers. There are a lot of potential targets you can exploit if you manage to get something into a ecosystem that large. This “being a big fat target” combined with being easy to exploit makes NPM a very juicy target, and encouraging people to use such a target without trying to implement countermeasures for this sort of attack is IMO reprehensible. Numbers isn't a problem in itself, like in the bad old days when IIS was a mess but Apache got (successfully) attacked far less, but they do exacerbate the security issue by multiplying the attack surface area.

1b. A lot of those using it are relatively untrained or just following recipes so do not know how to protect themselves, and may not even update after an attack like this and remain vulnerable for some further time. While this is not NPM's fault, being due to the popularity/commonality thing, it is something those in control of NPM should care about, if, as I believe is claimed, they care about their users⁰.

2. It is an environment where a ridiculous amount of dependencies, nested impressively deep, is practically encouraged, making audit very difficult even for those who try.

3. A number of good suggestions have been made that would mitigate, or at least vastly reduce, the risks. But action on these has, as far as we know, not happened. Sometimes for good reasons, or at least for reasons¹ rather than “just because”/“cost to implement”/“we don't wanna”, and sometimes, well, not. And no alternatives from within those running NPM are being suggested/worked-on, as far as we know² at least.

4. Those who would make most noise about any change, especially a breaking change that affects them in the smallest way, simply do not care about the risk the situation poses to the wider population.

While the gun control analogy might be a little stretched, I think it is relevant enough particularly because of points 3 & 4.

--------

[0] I refuse to use the word community here. This isn't a cosy little village where everyone knows your name and everyone looks out for everyone else.

[1] Them bringing significant breaking changes, or being too complex to implement piecemeal to give time for those breaks are dealt with or otherwise prepared for, for instance.

[2] If something was being looked into, I'd expect it to be announced³ as that would quieten criticisms like these, at least a little.

[3] Maybe not immediately, but this has been a known problem for so long that we are well past immediately.

[4] When it isn't the case that the US doesn't have knife crime, it just doesn't get reported because the gun issues are worse. Like car travel killing more in total then flights, but you don't hear about every car crash. The UK is often given as an example in these comparisons, but if you look at the stats our knife crime rates are lower than the US's - it isn't that other countries have knife problems instead, the US has worse knife problems as well as the guns problem.

In fact, attacks like Shai-Hulud explicitly attempt to get into PyPI, and have succeeded to a lesser extent.

But aside from the package-size / -complexity issue pointed out in a sibling comment, PyPI also tries a fair bit to monitor for incoming malware (and there's a "report project as malware" button on each project page).

Also, there are no post-install scripts (of course, the code can detect when it's being run for the first time in the installed environment); and pre-install scripts are only included in sdists[0]. So you can easily[1] configure your installer such that you at least won't get pwned at install time, at the cost that some[2] packages can't be installed that way. And then you can go inspect, run a security scanner over, etc. whatever got installed; wheel installations just copy things to well-defined locations and generate simple wrapper scripts by strict rules.

[0]: I.e., when the project is "being built from source", which generally is only necessary when it includes non-Python code directly and the maintainer hasn't pre-built that code for your system.

[1]: Notwithstanding that, with pip, many actions that you'd expect not to get you pwned totally can. Such as, for example, explicitly telling it to download an sdist and not install it; as I discussed in https://zahlman.github.io/posts/python-packaging-3/ .

[2]: In practice, a pretty small fraction of what typical developers would actually care about, at least outside of specific niches. I'm told there are some niches where it's a big problem, but honestly they're lucky that this kind of build-install orchestration sort-of works at all.

To expand on this, PyPI is slightly less vulnerable because Python users tend to install mega packages (such as numpy or django) and do not frequently interact with their package manager. There is also not a culture of using sub-dependencies.

Cargo is essentially the same as NPM though, it's only "safer" because it's less popular.

Although the situation on NPM is extremely uncomfortable, you're probably less likely to get hit if you take reasonable precautions than on PyPI, simply because NPM is getting scanned more often. Most of these attacks on NPM have been detected and pulled days before my min age kicks in. A sleeper attack on PyPI could be devastating.

I thought it was «windows has all the viruses» since there are a lot of npm packages and it’s used by a lot of people?

Your example of security issues in Maven is... npm guys setting up processes to auto-publish infected npm packages into the Maven Central repository?

Wake me up when the daily npm security breach headlines are typosquatting stories, not RCE-on-build or RCE-on-upgrade.

I agree generally, but I also think it's important to point out that in the NPM ecosystem it is culturally acceptable and even encouraged to install even trivial dependencies to avoid reinventing the wheel. Philosophically I completely agree with this, though practically we see the result and it is not good. The left pad debacle should have been a huge wake up call, but not really much seems to have changed after that.

As long as developers in the ecosystem are cavalier about installing huge chains of dependencies, NPM will be an attractive target for attackers.

Even though we wish it were not so, cultural problems seem to be the hardest technical problems to solve.

Yeah I was thinking the difference between open source and enterprise to mitigate this is a simple hardware security module right?

If the attackers spearfish folks who hold “keys to the castle” and everything is digital it’s game over no matter what ecosystem.

Those things should be locked down by “something you have” because that’s much more difficult.

I'll disagree because the primary issues with gun control in the US are:

[1] Guns are a core part of culture for much of America, very deeply so outside coastal cities. Most of the left wing in the US lives in coastal cities and either grew up there or immigrated very recently and does not leave, so this is an alien concept to them, but even in very blue cities like D.C. you would be shocked how many liberal democrats have armories. It is literally amendment #2!

[2] They are already widely distributed and it would be a logistical impossibility to actually enforce gun control.

This is directly analogous to NPM where:

[1] The package registry working the way it does and people quickly installing packages without thinking much is deeply part of JS culture. It doesn't help that JS caters very heavily to as wide of a market as possible, of which the majority is going to be entry level/junior to associate engineers for whomst script kiddying or letting AI install whatever is essentially a way of life. As evidence, this type of thing is not really a problem with derivatives like Bun, especially in mature organizations where it's easy to enforce a minimum 72 hour wait time between publish and installation of a package.

[2] Packages are already widely distributed and part of dependency stacks (e.g. the infamous leftpad) where it is a logistical impossibility to change how things work.

I also view startups and companies like Vercel as essentially the NRA here, Next.js has taken over huge swathes of the ecosystem and highly encourages dependency-maxxing.

Another direct analogy: proponents of gun control say they are unnecessary for self defense (esp. because law enforcement is good now), too heavy duty to begin with, and fundamentally dangerous.

Similarly I would criticize dependency-maxxing as unnecessary for capability (esp. because AI is good now), too heavy duty to begin with, and fundamentally dangerous.

>The "No way to prevent this" analogies seem to me to work better for Memory Safety because, as with Gun Safety, the simple fact is that everybody knows how to solve the problem, but one group insists it's impossible.

I'm not following. Whats the 2nd Amendment equivalent for memory safety? The amount of C/C++ in production or something?

> the simple fact is that everybody knows how to solve the problem

Don't make braindead My First C Program mistakes?

What about language exclusivity makes a package manager a security nightmare?