| ▲ | Balinares 2 hours ago | |
As far as I understand, NPM packages are not self-contained like e.g. Python wheels and can (and often need to) run scripts on install. So just installing a package can get you compromised. If the compromised box contains credentials to update your own packages in NPM, then it's an easy vector for a worm to propagate. | ||
| ▲ | magnetometer an hour ago | parent [-] | |
Python wheels don't run arbitrary code on install, but source distributions do. And you can upload both to pypy. So you would have to run pip install <package> --only-binary :all: to only install wheels and fail otherwise. | ||