Notified: February 12, 2016 Updated: March 25, 2016
Affected
The lifecycle script feature that the worm relies upon is intrinsic to the operation of npm and many other package managers. We have made a decision balancing security against utility and decided not to disable this feature. Any step short of disabling this feature becomes a cat-and-mouse game of attempting to predict what a given user script will do, which becomes akin to the halting problem. Our real-world mitigation steps are: 1. registry publishing has a kill switch independent of registry installs, so a worm's progress can be instantly halted once identified 2. we can programmatically identify and un-publish, post-hoc, any compromised packages, reverting them to their last good versions Users who are uncomfortable with this decision can disable this feature at the client side with the `ignore-scripts` option, which can be invoked at install time or permanently set with `npm config set ignore-scripts true`.
We are not aware of further vendor information regarding this vulnerability.