New Attack Discovered On Node.js Package Manager npm

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

Why would anyone use JavaScript?!

I can sort of understand using JavaScript in the browser. After all, it's the only option. But server-side?! There is no such restriction!

Why the heck would anyone choose to use such an awful, crippled language when they have numerous superior options?!

It baffles my mind how somebody would go out of their way to use such an awful language when there are so many better options available.

I'm not one to pre-judge. I tried out JavaScript, Node.js and npm for myself. I couldn't believe just how awful they were! Everything about them feels like a regression compared to their competitors.

Re:* to the best of my understanding. Details may

I'm sure node.js fans will point out a detail that I missed.

Nah, they'll just copy and paste someone elses reply that they found on StackOverflow.