For those who don't know, npm is a JavaScript library manager that makes installing, managing JavaScript library programs much easier. npm is available on a number Linux distributions, Debian, Ubuntu, RedHat and a number of others. In my case my concern is doing some software development on a Raspberry Pi using Raspberry Pi OS (a Debian variant) using npm to bring in a library program that makes it more-or-less painless to bring in a library program that converts .xml files to .json files. npm does what it was supposed to, bringing in JavaScript, but it makes a false assumption that software developers are NOT malicious. Since September 2025 security researchers have been aware of a worm program dubbed "Shai-Hulud 2.0" (named after the giant worm in Frank Herbert's science fiction novel "Dune"), details here : https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ . Shai-Hulud 2.0 can do a number of things, all of them bad. So, how can you protect yourself from Shai-Hulud 2.0 when using npm?
From: Colin McGregor via Talk <talk@lists.gtalug.org>
So, how can you protect yourself from Shai-Hulud 2.0 when using npm?
npm has always been a security disaster. Not just the two Shai-Hulud worms. That's why I don't intentionally use npm. But things I do use probably do use it. It looks as if folks are trying to address this problem, but fixes are a Work In Process. <https://openjsf.org/blog/publishing-securely-on-npm> I think that all public repos of source have this problem but JavaScript has it worse than most others.
participants (2)
-
Colin McGregor -
D. Hugh Redelmeier