N
Hacker Next
new
past
show
ask
show
jobs
submit
login
▲
Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects
(
socket.dev
)
17 points by
882542F3884314B
16 hours ago
|
4 comments
add comment
Rendered at 17:21:02 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
kspetkov79 13 hours ago
[-]
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.
tedchs 14 hours ago
[-]
How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
nullsex 14 hours ago
[-]
[dead]
gnabgib 16 hours ago
[-]
All Composer packages (but the malicious part is in the node dependency)
Effected*
> Use effect as a noun to refer to a change resulting from something.
nullsex 13 hours ago
[-]
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
ryanshrott 2 hours ago
[-]
[flagged]
Effected*
> Use effect as a noun to refer to a change resulting from something.