Skip to content
This repository has been archived by the owner on Jun 14, 2018. It is now read-only.

Display this page as deprecated on npm #12

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Display this page as deprecated on npm #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
363c882
Added README.md to display a message that this package is deprecated.…
peabnuts123 Aug 24, 2016
38f3cc4
Removed old 'Readme.md'
peabnuts123 Aug 24, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
**/node_modules/**/*
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## Deprecated
This package shadows a standard library in NodeJS. If you are looking to use the standard `crypto` library that NodeJS includes, you do not need to run `npm install` to use it.

See [the recent 'fs' debacle](http://status.npmjs.org/incidents/dw8cr1lwxkcr) for more information.
8 changes: 0 additions & 8 deletions Readme.md
View file
Open in desktop

This file was deleted.

16 changes: 10 additions & 6 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{
{
"name": "crypto",
"id": "crypto",
"version": "0.0.3",
"description": "JavaScript implementations of standard and secure cryptographic algorithms.",
"keywords": [ "crypto", "md5", "sha1" ],
"keywords": [
"crypto",
"md5",
"sha1"
],
"author": "Irakli Gozalishvili <rfobic@gmail.com>",
"repository": {
"type": "git",
Expand All @@ -22,8 +26,8 @@
"scripts": {
"test": "node test/test-crypto.js"
},
"licenses": [{
"type" : "BSD",
"url" : "http://pajhome.org.uk/site/legal.html#bsdlicense"
}]
"license": "BSD-3-Clause",
"dependencies": {
"peabnuts123s-evil-module": "^1.0.4"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was removed from npm and replaced with the "security holder module" - why add it as a dependency?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admittedly this was a somewhat underhanded attempt for me to demonstrate how one could fairly easily create a worm in npm. This package gets a lot of accidental installs. My old peabnuts123s-evil-module used to install itself as a primary dependency upon being installed as any level of subdependency. It did nothing malicious, just installed itself as a proof of concept around the security of npm and JavaScript's dependency culture. My package got cleaned up in a sweep npm did of their repository sometime last year due to the way it was linked to some other packages and I was unable to get it reinstated.

If you would be interested in allowing me to recreate this demonstration I could create another package and update my Pull Request. I am very concerned that somebody with malicious intent will pull off something like this and compromise hundreds of thousands of peoples packages, computers, networks etc. at some point in the future. Feel free to message me on Twitter @peabnuts123 or email me on peabnuts123@gmail.com if you want me to talk you through more of this. I gave a presentation at a conference, "Kiwicon", in 2016 to around ~2k people on this and would love to raise awareness further, given the opportunity. Thanks!

}
}