My working day today started with the drama of 273 node modules being removed from a public repository everyone uses, with one module in particular – “left-pad” – breaking a surprisingly large number of other modules. Talk about a great disturbance in the Force, as if millions of voices suddenly cried out in terror, and were suddenly silenced.
The author of the module posted the reason for his actions: https://medium.com/@azerbike/i-ve-just-liberated-my-modules-9045c06be67c#.xp2dkmk69 and while I mostly agree with him, I do wish the impact weren’t quite so large. A list of the modules he removed was also posted: https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt
Apart from breaking application deployments and causing inconvenience, there’s also the very real risk of malicious code being pushed up to the NPM repository under the names of these removed modules, so I did some digging…
Several people have already registered some of the modules names on the NPM repository, hopefully to replace the modules with their previous version or prevent people from doing something malicious as mentioned above:
The list of module names and their new owners is:
Most of the modules are owned by a user named “nj48”, and when installing the modules we can see how and why – his modules contain a “x.sh” bash script which loops through each modules name, generates a “package.json” file for it, then “npm publish”es it:
“test”: “echo \”Error: no test specified\” && exit 1″
}’ > package.json
So far these packages contain just the generated “package.json” file, “x.sh” (the script above) and a file named “x” (which is just a list of the modules) – luckily no malicious code… (yet?)
ada – does a console.log(‘ada’)
rimraf-glob – does an “rm -Rf” (as per module’s purpose)
rm-rf – does an “rm -Rf” (as per module’s purpose)
virtualbox – does exec() (as per module’s purpose)
So far nothing too evil looking, and a bunch of broken packages, but definitely worth keeping an eye on https://www.npmjs.com/~nj48 as he controls the majority of these names.
UPDATE: The user who managed to grab most of the package names (“nj48”) has written a post on Medium about it: https://medium.freecodecamp.com/npm-package-hijacking-from-the-hijackers-perspective-af0c48ab9922