This is actually goes to the point behind the http://nodesecurity.io initiative - building up the security mindedness of the node community by auditing npm modules for various vulnerabilities and making it easy to responsibly disclose vulnerabilities to module maintainers [1].

We're in the process for the first audit wave (checking for things like child_process.exec), and have already had several modules get patched.

IIRC, the npm maintainers have expressed interest at the recent node confs/meetups about incorporating security advisory information into the npm package results, to alert people about potential issues when installing modules.

[1] http://blog.liftsecurity.io/post/52010883123/security-md-imp...

I'd wager it primarily is due to market share. Why infect .001% of the Node.js community when you could infect .0001% of the PHP community.

Given that its a newer language, its likely that node.js users are more technically skilled. Few people learn node.js as their first language. In PHP for instance, we've all seen code online from novices with horrible SQL injections (...a $_GET or $_POST directly in the query).

Node.js has a lot less legacy code. (E.g. Linux has 1000s of exploits over the years, if left unpatched you're in for a bad day).

Many (most?) packages are on GitHub. If one is popular with the community, I am less likely to believe it is a malware.

http://eirikb.github.io/nipster/

For now, the ease at which we can build npm modules allows the ecosystem to grow. When it gets popular, we can rethink our approach.

Is there any difference with Python and PIP, or Ruby and gems?

It happened once (by accident) on the popular "n" package.

https://github.com/visionmedia/n/issues/86

Hi all,

Thanks for all the comments, they are very much appreciated. I'm going to write a follow-up piece soon - if you want to send me feedback directly, please feel free.

I tend to agree with the point that NPM isn't a big enough target yet to make writing subtly malicious modules worthwhile. However, I don't think that's particularly reassuring. I also suspect that more people are using SSL/TLS directly from node (and running as root) than you might think. Malware targeted at developers may well become more of a big deal in the future.

The issue is generic with most package management systems. What I really wanted to talk about was why malware is an apparent problem in some projects and 'ecosystems' and why it isn't in others. The general consensus when talking to other security researchers is that a decent package management system is vital to security. Much like the Google Play store is a key part of Android security. However, NPM (sadly) doesn't really support that hypothesis, as (when I wrote the piece) it wasn't obvious how to report bad modules.

I'd also like to applaud the work that nodesecurity.io is doing - it's a very worthwhile project.

Best wishes,

John

Malware I don't know, but I know for sure that its trivial to write a DDoS tool with it.

I blew my NSP network out of the way with line-rate small packets on a low-end box which made me reconsider my dislike for node :)

I wrote something similar for PHP and it was pretty slow which was kinda surprising. C/PY/PL is fairly easy, and I only got multi-Gbps out of C, but in fairness its a lot easier in C...

Isn't this the case with any package management system. In most linux distributions it is common to be able to do (the equivelent of) "apt-get install X" just to try out X. Almost every programing language I've used had its own package manager that installs things just as simply.

> By necessity, you are also also giving it access to your domain certificates and private keys.

By necessity? I'd argue the opposite, by necessity don't do this at all or ever. Is this person terminating SSL at their node app? Because for anything but a toy that's probably a bad idea.

There are infinitely simpler targets for malware with better returns than writing a package to be used by developers in the hope you'd be able to scoop up random certs and database credentials of limited value. It is POSSIBLE your package would get installed on a server run by an organization with credentials that a malware author would care about: but unlikely, and quite frankly not worth waiting for the day when you can make more money (for example) breaking into CMS servers and distributing browser exploits.

A contagious organism needs an adequate density of susceptible hosts to survive, or a long incubation period to wait for opportunity to strike and infect a new host, effectively allowing it to perceive adequate density of hosts. Perhaps "nodejs" is not adequately prevalent, perhaps malware for it is very clever, perhaps both?

the many eyes theory might not apply as a whole, but when every contribution to a codebase has a small surface area, and goes through a github pull-request, it is thoroughly examined by at least one person, usually a handful in popular modules. It'd be much harder to slip something malicious through.

Why not read the source of whatever you're using before running it?

Where is all the FreeBSD malware?