Dear Friend,
Hacking a Node.js Application might sound like something that won’t ever happen to your application.
That’s some far-off land of hackers that you typically stay away from.
I would claim to differ if you have ever used the following command you are closer to a hacker than you think.
Back in August of 2017, the npm registry claimed that they had found malicious malware packages on their repository.
You can read the complete story here.
The “attack” was by Hijacking a popular module name with a similar one and hoping that a naive user would install the package with the wrong name.
Once the package was installed and you kicked off your application the code would automatically execute.
YES! All that power that Node.js gives you, is now available for some random hacker to take advantage of everything they can if they were executing code directly on your machine.
Most new JavaScript developers don’t know that they have the ability to publish their own modules to the npm registry without having to pay a fee or go through some approval process.
You just simply write some code, set up an account and click on the publish button.
You might think this sounds like a really good idea at first but when you start to think about how this could go wrong? You can see clearly how a bunch of applications are open and ready for a take over from some random hacker.
Knowing this small detail might seem trivial, but think about it this way.
If you can control a package and that package controls the data flow of hundreds of other programs does that put you in control?
The good and the bad about open source software is that you have to trust the other person that is sharing with you the source code that you will be using.
The simplest way to acquire this trust is to just read the source code, but let’s be honest for a second.
NO ONE READS THE SOURCE CODE!
Most people go the lazy route and just based their decisions on what everyone else is doing and hope that the masses are right and continue on with writing code.
This is a good/bad shortcut but at the same time, if you are working with a large enough project, security audits need to be in place to make sure that everything is as secure as possible instead of relying on hope thinking that everything is going to be ok.
If you want to learn how to publish your own npm modules, I’m putting together a FREE webinar that goes over everything that you need to know to become a Full-Stack Developer that’s able to understand this type of problems and how to fix them from the get-go.
Talk soon,
Rick H.
I always had a passion for the field of STEM (Science, Technology, Engineering, and Math) and I knew I wanted to do something to make a difference in the world. I just didn’t know where to start. I was an immigrant in a new country, grew up in a tough environment, and wasn’t sure how… Read More
