The latest articles on DEV Community by Aurimar (@aurimarl). https://dev.to/aurimarl https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F800875%2F0b0adc7d-74b6-41d3-9f41-e993f67a2cda.png https://dev.to/aurimarl en Aurimar Tue, 26 Nov 2024 17:48:11 +0000 https://dev.to/aurimarl/how-i-accidentally-hijacked-an-npm-package-198e https://dev.to/aurimarl/how-i-accidentally-hijacked-an-npm-package-198e <p>As developers, we often focus on writing clean code and building innovative features. However, sometimes it's the seemingly small decisions that can have significant implications. I recently had an experience that I believe is crucial to share with our community. hashtag#DeveloperLessons</p> <h2> The Incident </h2> <p>While working on a fork of an open-source project, I decided to publish my modifications to npm. Due to some publishing errors and, admittedly, a bit of impatience, I made a critical mistake:</p> <ol> <li>I removed the <em><a class="mentioned-user" href="https://dev.to/scope">@scope</a></em> from the original <a class="mentioned-user" href="https://dev.to/scope">@scope</a>/PackageName.</li> <li>Published my fork simply as <em>PackageName</em>.</li> </ol> <h2> The Unintended Consequence </h2> <p>The original package used a common npx command in its documentation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npx PackageName </code></pre> </div> <p>By publishing my fork with the same name, I inadvertently "hijacked" all calls to this command. Users intending to use the original package would now be directed to my fork instead.</p> <h2> The Security Implications </h2> <p>This situation highlights a significant security risk in our npm ecosystem. If exploited maliciously, such an oversight could lead to the distribution of compromised code to unsuspecting developers.</p> <h2> Key Takeaways </h2> <ol> <li>Always thoroughly understand npm scopes before publishing.</li> <li>Be extremely cautious when naming packages to avoid conflicts.</li> <li>Double-check your package name and its potential impact on existing packages.</li> <li>When forking and publishing, always use scoped packages.</li> </ol> <h2> Responsible Disclosure </h2> <p>Upon realizing my mistake, I immediately:</p> <ol> <li>Contacted the original repository owner. You can view our discussion here: <a href="https://lnkd.in/d6fBbP9z" rel="noopener noreferrer">GitHub Issue #67</a> </li> <li>Documented the incident for transparency. My forked repo: <a href="https://lnkd.in/dVx7FEs6" rel="noopener noreferrer">AurimarL/surrealdb-client-generator</a> </li> </ol> <h2> Call to Action </h2> <p>As members of the developer community, we have a shared responsibility to maintain the integrity and security of our package ecosystems. I encourage everyone to:</p> <ul> <li>Regularly audit your published packages</li> <li>Stay vigilant about package names and versions in your projects</li> <li>Contribute to discussions about improving npm security</li> </ul> <p>Let's work together to create a more secure and robust development environment for all.</p> javascript node npm security