In light of recent events (such as https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/), I've been wondering how NPM and the community as a whole can mitigate the issue. I have thought of the following potential responses:
- Conditionally running post-install scripts. The user gets asked for a yes/no reply in the cli and the script is only ran if the user replies yes. This only mitigates attacks leveraging
postinstall scripts and would negatively impact libraries that use it legitimately.
- Forcing 2FA for all package publishers?
- Explicitly allow/deny permissions in node. E.g. If I'm writing a simple http server, I most likely would not need to be using
child_process and others, and thus deny that module/permission and increasing the security of my app. Maybe something like the
Permissions-Policy HTTP header?
I am curious to hear your thoughts.