npm模块包批量安装_为什么在安装npm软件包或模块之前应该三思而后行

本文主要是介绍npm模块包批量安装_为什么在安装npm软件包或模块之前应该三思而后行，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

npm模块包批量安装

npm packages are one of the most amazing things that ever happened to JavaScript. npm says there are over 800,000 packages in the npm repository, making it the largest open-source code repository in the world. Since the JS community is so familiarized with and used to code reusability, npm was a blessing for us.

npm软件包是JavaScript发生过的最神奇的事情之一。 npm表示npm存储库中有80万个软件包，这使其成为世界上最大的开源代码存储库。由于JS社区非常熟悉并习惯于编码可重用性，因此npm对我们来说是一种祝福。

Although npm was pretty much successful, you must know what you might run into, if all hell breaks loose. This article isn’t intended to freak you out but rather to educate you on the possible risks you face when you install an npm package. Understanding security concerns in the npm ecosystem is an absolute must for anyone who is doing JavaScript-related development.

尽管npm相当成功，但是如果一切都变坏了，您必须知道会遇到什么。本文的目的不是使您惊慌失措，而是要教育您安装npm软件包时可能面临的风险。对于从事与JavaScript相关的开发的任何人，绝对必须了解npm生态系统中的安全问题。

npm软件包有什么问题？ (What's Wrong With npm Packages?)

恶意模块 (Malicious modules)

In npm, anyone with an email address can contribute. while anyone with an npm client can consume a module. A module can become malicious due to:

在npm中，拥有电子邮件地址的任何人都可以贡献力量。而拥有npm客户端的任何人都可以使用模块。由于以下原因，模块可能变得恶意：

Upon requiring it, the module could gather information from your system or network and send it out to a third party that can cause you several issues
根据需要，该模块可以从您的系统或网络中收集信息，并将其发送给第三方，这可能会导致您遇到一些问题
Upon installing it, the module could have an install phase, where it’ll run destructive commands, for example rm -rf /
安装后，该模块可能会处于安装阶段，在该阶段它将运行破坏性命令，例如rm -rf /

You might now wonder, why would anyone install a malicious module knowing about the security risks they pose? There are several reasons why.

您现在可能会想知道，为什么有人会知道他们会带来的安全风险而安装恶意模块？原因有几个。

You’re too lazy

你太懒了

Yes, this is how lazy people are. Modules are very much capable of containing security vulnerabilities.

是的，这就是懒惰的人。模块非常有能力包含安全漏洞。

You might say you’re not stupid enough to install modules like this. But, to be honest, you might’ve installed a genuine package that has added a malicious package as a dependency. At the end of the day, either you or the module developer was lazy, and it might cost you as a user.

您可能会说您不够愚蠢，无法安装这样的模块。但是，老实说，您可能已经安装了一个真正的软件包，该软件包添加了恶意软件包作为依赖项。归根结底，您或模块开发人员都很懒惰，这可能会使您成为用户。

Typosquatting

打qua

This is a form of attack where malicious packages are named similar to the real modules and can be installed by an accidental typo by the user. This problem is commonly found even in the PyPi Python registry as well. npm has added new naming rules to fix this.

这是一种攻击形式，其中恶意软件包的命名类似于真实模块，并且用户可能通过偶然的拼写错误安装恶意软件包。即使在PyPi Python注册表中也经常发现此问题。 npm添加了新的命名规则来解决此问题。

恶意贡献者 (Malicious contributors)

In another scenario, the owner of the package might’ve been genuine with their intention, but a malicious contributor of the package can send a PR with a backdoor — or even add a project dependency that contains vulnerabilities.

在另一种情况下，程序包的所有者可能确实是出于意图，但程序包的恶意贡献者可以发送带有后门的PR-甚至添加包含漏洞的项目依赖项。

You might not notice this, even during code review, and then you end up with a malicious package that can infect millions of users.

即使在代码审查期间，您也可能没有注意到这一点，然后最终得到了一个恶意软件包，该软件包可以感染数百万个用户。

做出贡献的人 (Compromised contributors)

A member of the Node Core Technical Committee was able to gain publish permissions for popular repositories such as:

Node核心技术委员会的成员能够获得流行存储库的发布权限，例如：

Debug
除错
Express
表达
React
React
React Native
React本机
Mongoose
猫鼬
Electron
电子
MySQL
MySQL

And the list goes on.

清单还在继续。

How did they manage to get permissions for these packages? Poor passwords.

他们如何设法获得这些软件包的权限？ 密码错误。

According to Nikita, 662 users had the password 123456, 174 users had the password 123, and 124 users had the password password. Read more.

根据Nikita的说法，有662位用户的密码为123456用户的密码为123用户的密码为password 。。

EventStream混乱 (EventStream Chaos)

EventStream is a toolkit for developers to make creating and working with streams easy. This module was compromised when it was infected with a vulnerable dependency in order to steal bitcoins from wallet applications.

EventStream是开发人员可以轻松创建和使用流的工具包。当该模块感染了脆弱的依赖关系以从钱包应用程序中窃取比特币时，该模块就遭到了破坏。

The original owner of the package had transferred the ownership of the package to a user named right9ctrl. The owner indicated that he hasn’t used the module for years and transferred its ownership after he received an email regarding its maintenance.

程序包的原始所有者已将程序包的所有权转让给名为right9ctrl的用户。拥有者表示，他收到模块维护电子邮件后，已经多年没有使用该模块，并转让了其所有权。

The new maintainer then released a new version of the package with a new dependency called flatmap-stream that contained the malicious code. As flatmap-stream was encrypted, the malicious code remained undetected for over two months, until a user flagged an issue. npm then reviewed the malicious code and found it to be stealing bitcoins from Copay wallets, as Copay is said to have incorporated EventStream into its app.

然后，新的维护者发布了该程序包的新版本，并带有包含恶意代码的新依赖项，称为flatmap-stream 。由于flatmap-stream已加密，因此flatmap-stream一直未检测到恶意代码，直到用户标记问题为止。 npm然后审查了该恶意代码，并发现它正在从Copay钱包中窃取比特币，因为据说Copay已将EventStream集成到其应用中。

The backdoor has since been removed from npm.

此后门已从 npm中删除。

在Komodo的Agama钱包中发现漏洞 (Vulnerability Discovered in Komodo’s Agama Wallet)

Blockchain business Komodo discovered a vulnerability upon receiving a private notification from npm about a vulnerability in one of the upstream libraries Komodo’s Agama Wallet was using.

区块链业务Komodo在收到npm的私人通知时发现了一个漏洞，该通知是有关Komodo的Agama Wallet正在使用的上游库之一的漏洞。

The malicious bug was specifically targeted at Komodo’s version of Agama Wallet. The hacker had spent several months making useful contributions to the Agama repository and eventually added malicious code to an update of a module that Komodo’s Agama was already using.

该恶意漏洞专门针对Komodo的Agama Wallet版本。黑客花了几个月的时间为Agama存储库做出了有益的贡献，最终将恶意代码添加到了Komodo的Agama已经使用的模块的更新中。

In an attempt to safeguard the funds, the Komodo team acted swiftly and had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens — worth about almost $13 million — from the wallets and stashed them into two digital wallets under its control. The customers were later advised on how to reclaim their lost funds.

为了保护资金，Komodo团队Swift采取行动，从钱包中偷走了800万个KMD(科莫多)和96个BTC(比特币)代币(价值约1300万美元)，并将其存放在受其控制的两个数字钱包中。后来向客户提供了有关如何收回其损失的资金的建议。

The vulnerable package, electron-native-notify, was added to the dependencies of Agama by the hacker. This vulnerability followed a similar pattern of attack made on the event-stream module.

黑客将易受攻击的软件包electron-native-notify添加到了Agama的依赖项中。此漏洞遵循对event-stream模块进行的类似攻击方式。

In the end, the hacker managed to gain control of approximately 1 million KMD, which is approximately $750,000 at the time of writing.

最后，黑客设法获得了大约100万KMD的控制权，在撰写本文时，这大约为750,000美元。

“左派”惨败 (The ‘left-pad’ Fiasco)

This was one of the more popular events, making news by breaking thousands of projects, including Node and Babel. The man behind the whole fiasco was Azer Koçulu — the owner of the package. This package pads out the left-hand side of strings with zeroes or spaces.

这是最受欢迎的事件之一，它通过打破包括Node和Babel在内的数千个项目而成为新闻。整个惨案背后的人是包裹的所有者阿泽尔·科苏鲁(AzerKoçulu)。该程序包在字符串的左侧填充零或空格。

This incident came after a naming dispute with the messaging app Kik, where one of Azer’s modules was also called Kik. According to Koçulu, Kik’s briefs told him to rename the module. He refused, so the lawyers went to npm’s admins claiming brand infringement. When npm took Kik away from the developer, he was furious and unpublished all of his npm-managed modules.

此事件是在与消息传递应用程序Kik发生命名争议之后发生的，其中Azer的一个模块也称为Kik 。根据Koçulu的说法，Kik的简介告诉他重命名了该模块。他拒绝了，所以律师去npm的管理员声称品牌侵权。当npm将Kik从开发人员手中夺走时，他很生气，没有发布他所有 npm管理的模块。

“This situation made me realize that npm is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.” — Blog post by Koçulu

“这种情况使我意识到，npm是某人的私有土地，那里的公司比人民更强大，而我之所以开放源代码，是因为Power to the People。” —Koçulu的博客文章

Because of the huge drama, npm stepped in and fixed the issue by forcibly restoring the project, which was unprecedented. The CTO of npm also mentioned, “Un-un-publishing is an unprecedented action that we’re taking given the severity and widespread nature of breakage, and isn’t done lightly.”

由于发生了巨大的戏剧性，npm通过强行恢复该项目来介入并解决了该问题，这是前所未有的。 npm的首席技术官还提到：“鉴于破坏的严重性和广泛性，取消发布是一项前所未有的行动，而且绝非轻率之举。”

This incident shows you the level of fragility among our applications, such that if one package is removed from npm, it can affect thousands of users.

此事件向您显示了我们应用程序之间的脆弱程度，因此，如果从npm中删除一个软件包，则可能会影响成千上万的用户。

Although it’s true that, in this case, there wasn’t much of a security concern. But what if the author decided to push in some malicious code that didn’t produce an error nor was that easy to notice.

尽管确实如此，但在这种情况下，并没有太多的安全问题。但是，如果作者决定推送一些不会产生错误也不容易注意到的恶意代码，该怎么办。

Something for you to think about.

您需要考虑的事情。

如何安全 (How to Be Safe)

As I mentioned at the beginning of this article, my intention is not to freak you out but rather to educate and spread awareness.

正如我在本文开头提到的那样，我的目的不是要吓到您，而是要教育和传播意识。

用户数 (Users)

Pay attention to what modules you’re using. Don’t install unnecessary packages.
请注意您正在使用的模块。不要安装不必要的软件包。
Make sure there are no typos when you install a package. Although this has been fixed on npm’s end with their new rules, it’s better to be safe on your end as well.
安装软件包时，请确保没有错字。尽管这在npm的新规则中已得到解决，但最好还是确保您的安全。
Run security audits (npm audit) to find and fix security vulnerabilities in existing packages
运行安全审核( npm audit )以查找和修复现有程序包中的安全漏洞
Use tools like Snyk that’ll allow you to find whether the packages you’re about to install are vulnerable or contain any malicious code. Over 400,000 developers use Snyk.
使用Snyk之类的工具，使您能够确定要安装的软件包是否易受攻击或包含任何恶意代码。超过40万名开发人员使用Snyk。

模块作者 (Module author)

Use 2FA with authentication tokens on npm, and use tools such as Snyk in your continous integration
在npm上将2FA与身份验证令牌一起使用，并在持续集成中使用Snyk之类的工具
Make sure your passwords aren’t reused from anywhere and that they’re quite strong (no 12345678 or password)
确保您的密码不会在任何地方重复使用，并且password强度很高(没有12345678或password )

企业 (Enterprise)

Here are some of the solutions given by Kate at QCon.

这是凯特在QCon上提供的一些解决方案。

Although this doesn’t sound very practical, some companies opt to write everything from scratch
尽管这听起来不太实用，但有些公司选择从头开始编写所有内容
Paying open-source maintainers: Although this holds someone responsible for the security of the package, it doesn’t guarantee they won’t be compromised
支付开源维护者的费用：尽管这使负责包安全性的人员承担了责任，但这并不能保证他们不会受到损害。
Code audits: They can be great, but they still can’t assure you of the stability of a package because there are things that code audits miss
代码审核：它们可能很棒，但是仍然无法向您保证包的稳定性，因为有些代码审核会遗漏
Set up a private npm repository. Although it’s convenient to use public repositories, you might run the risk of your npm modules’ security becoming compromised.
设置一个私有的npm存储库。尽管使用公共存储库很方便，但是您可能会面临npm模块安全性受到威胁的风险。

结论 (Conclusion)

That’s it for this article. I highly advise you read the below-mentioned resources to get a thorough knowledge of npm security.

本文就是这样。我强烈建议您阅读以下参考资料，以全面了解npm安全。

Happy coding!

编码愉快！

资源资源 (Resources)

“Malicious Modules — what you need to know when installing npm packages” by Liran Tal
Liran Tal的“恶意模块-安装npm软件包时需要了解的内容”
“Hacker Infects Node.js Package to Steal from Bitcoin Wallets” by Trend Micro
趋势科技“黑客入侵Node.js软件包以从比特币钱包中窃取”
“Someone slipped a vuln into crypto-wallets via an NPM package by Thomas Claburn
“有人通过Thomas Claburn的NPM软件包使人们很容易陷入加密钱包
“Malicious NPM Development Kit” by Joel Thomas
乔尔·托马斯(Joel Thomas)的“恶意NPM开发套件”
“How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript” by Chris Williams
克里斯·威廉姆斯(Chris Williams)：“一个开发人员如何用11行JavaScript破坏Node，Babel和数千个项目”
Presentation on “Making Npm Install Safe” by Kate Sills
凯特·西尔斯(Kate Sills)的“确保Npm安装安全”演讲