Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
philipwhiuk 5 hours ago

post-install seems like it shouldn't be necessary anyway, let alone need shell access. What are legitimate JS packages using this for?

homebrewer 5 hours ago | parent | next [-]

From what I've seen, it's either spam, telemetry, or downloading prebuilt binaries. The first two are anti-user and should not exist, the last one isn't really necessary — swc, esbuild, and typescript-go simply split native versions into separate packages, and install just what your system needs.

Use pnpm and whitelist just what you need. It disables all scripts by default.

eknkc 5 hours ago | parent | prev | next [-]

Does that even matter?

The malware could have been a JS code injected into the module entry point itself. As soon as you execute something that imports the package (which, you did install for a reason) the code can run.

I don't think that many people sandbox their development environments.

theodorejb 2 hours ago | parent [-]

It absolutely matters. Many people install packages for front-end usage which would only be imported in the browser sandbox. Additionally, a package may be installed in a dev environment for inspection/testing before deciding whether to use it in production.

To me it's quite unexpected/scary that installing a package on my dev machine can execute arbitrary code before I ever have a chance to inspect the package to see whether I want to use it.

eknkc 2 hours ago | parent [-]

I've been using pnpm and it does not run lifecycle scripts by default. Asks for confirmation and creates a whitelist if you allow things. Might be the better default.

tln 3 hours ago | parent | prev | next [-]

I think these compromises show that install hooks should be severely restricted.

Something like, only packages with attestations/signed releases and OIDC-only workflow should allow these scripts.

Worm could propogate through the code itself but I think it would be quite a bit less effective.

vinnymac 4 hours ago | parent | prev [-]

Most don’t need it. There was a time when most post installing flooded your terminal with annoying messages to upgrade, donate, say hi.

Modern node package managers such as yarn and pnpm allow you to prevent post installs entirely.

Today most of the time you need to make an exception for a package is when a module requires native compilation or download of a pre-built binary. This has become rare though.