There's a huge difference, because postinstall scripts are almost guaranteed to run in your CI pipeline. Compromised code probably won't (maybe it will if your test cases test a compromised package). Different attack profile. Worse in some ways (your CI likely has NPM push tokens, which is how this single-package worm become a multi-package self-replicating worm) (your CI pipeline also likely has some level of privileged access to your cloud environment; deployed services are more likely to be highly scoped). But, better in some ways.
replyIts childish to believe that because you can't fix everything you shouldn't fix anything. Defense in depth.
> There's a huge difference, because postinstall scripts are almost guaranteed to run in your CI pipeline. Compromised code probably won't (maybe it will if your test cases test a compromised package)
replyYou don't need to test a compromised package to have it execute code. Importing it anywhere in your tests is enough, even transitively.
It's for sure less likely to run but I doubt it's significantly different in practice.
If you look at the last N npm worms, they all used postinstall scripts.
replyIs that even true?
replyshai-hulud and variants
replyhttps://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-s...
So N=1? 2? 3?
replyat least 3 that i can remember off the top my head in these last couple months. If you look further back you will find more.
reply