Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular -- albeit deprecated -- JavaScript package. The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team -- which analyzed this package earlier today after reports from the npm community -- says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library.
The basic problem is that ANY package may contain something malicious. How in the world can you possibly audit them? Many packages depend upon other packages as well. There is often a whole chain of dependencies. Any single one of those packages could have code injected into them (on purpose or because the maintainer got hacked and submitted a signed package that wasn't really theirs).
So, the choice is to reinvent the wheel or to accept a certain level of risk. A company with the resources of Apple or Google probably prefers to reinvent. But most companies don't have those resources. It is very expensive to audit (and you would have to audit every single version change).
I am not suggesting people ignore the problem. One does need to be vigilant, but often the cost/benefit is not there to do a thorough job of vetting.