Hi. NPM nodejs package manager doesn't check for https signatures comunicating with the central repo, which could give an attacker with MITM capabilities the possibility to execute code.
The issue is here <https://github.com/isaacs/npm/issues/1204>. The maintainer considers this to be a bug that is on his "eventually" list. Some interesting quotes: > You should be very careful telling those you've never met how little they > care about something. If I didn't care about security at all, I wouldn't > work on it at all. However, you are making the mistake of most > security-focused engineers, and apparently missing that there is anything > *else* to be concerned with. This is a classic cognitive bias of > over-estimating the threat of a low-probability failure mode. > If there are linux distros picking up *such an immature and > developmental*project like npm, then > *it is to their folly*. I never suggested that they do such a thing, and > in fact, have campaigned several times to have npm removed from other > package manager indexes. People should install node and npm from the source > code. In a year or two, it might be a good idea, but for now, npm is still > changing too quickly, and is too unstable. > > I find it quite baffling, since node is a pretty popular language and npm is the most pupular way for them to install packages, but hey. I just thought it would be interesting to let you guys know and would be quite interested to hear your thoughts. Thanks, Pedro -- GPG: http://is.gd/droope <http://is.gd/signature_>
