DEV Community

loading...

Discussion on: How a compromised NPM package can steal your secrets (POC + prevention)

Collapse
yoursunny profile image
Junxiao Shi

What if the entrypoint script modifies process.env, clearing the secret?
Does it stop the attack?

Collapse
maxivanov profile image
Max Ivanov Author

I think yes, and I've seen someone doing this. Do it first thing in the code (before the dependencies are loaded) and make sure subsequent invocations of the same Lambda instance do not depend on it anymore. A bit hacky but sounds like it should work!