[jkrems]

They didn't deploy the code. That's not how this exploit works. They _downloaded_ the code to their machine. And npm's behavior is to implicitly run arbitrary code as part of the download - including, in this case, a script to harvest credentials and propagate the worm. That part has everything to do with npm behavior and nothing to do with how much anybody reviewed 3P deps. For all we know they downloaded the new version of the affected package to review it!

[Ajedi32]

If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time? Who manually reviews new versions of their project dependencies after installing them but before running them?

GP is correct. This is a workflow issue. Without a review process for dependencies, literally every package manager I know of is vulnerable to this. (Yes, even Maven.)

[zahlman]

> If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time?

Many such forms of malware have already been published and detected.

> Who manually reviews new versions of their project dependencies after installing them but before running them?

One person putting in this effort can protect everyone thereafter.

The PyPI website has a "Report project as malware" button on each project page for this purpose.

But yes, this is the world we live in. Without this particular form of insecurity, there is no "ecosystem" at all.

[locallost]

Thank you.