My latest side project has led to me finding an interesting npm package named I.
The package promises Just import it and all your problems will go away! and the linked code on github seems innocent enough:
But viewed in RunKit the code yields a more sinister intention.
On import this package tries to spin up a process and run the command rm -rf / . Luckily on most systems this will be saved by the trusty no-preserve-root failsafe.
The package has been un-published from npm, looking at the package metadata shows 3 releases on 1st April 2017, so iām guessing this was a fairly nilhistic April fools joke.
This shows the need for care when choosing and using third party modules from npm or other package repositories.