14 points | by 882542F3884314B 10 hours ago ago
5 comments
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.
How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
[dead]
All Composer packages (but the malicious part is in the node dependency)
Effected*
> Use effect as a noun to refer to a change resulting from something.
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.
How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
[dead]
All Composer packages (but the malicious part is in the node dependency)
Effected*
> Use effect as a noun to refer to a change resulting from something.
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.