11
donnico
7y

So today it finally happened.

Npm modules broke my system and / or endangered the security of my system.

Installed a global cli utility
That utility depends on package A
That depends on package B

That fucking install a bin called sudo

Yeah.. You heard it right a bin called sudo.

This bin goes in the global module folder that is piped in your path variable.

Now everytime you type sudo you are running somebody else code instead of your system utility.

I am shivering and at loss of swear words.

Opened an issue on the cli that started this matrioska game of horror.

Who the fuck tought that a bin called sudo would be a good fucking idea?

Oh and yes is even an harmless package that try to provide the sudo experience for windows (I went in to check the code of course..)

And I frigging need that cli for work

For now I aliased the sudo in my bashrc still i feel vulnerable and naked now.

Comments
  • 0
    What cli is it?
    Seems very suspicious
  • 0
    Turns out that is not the cli fault but when running yarn global upgrade yarn pulls this trick
  • 0
    @sunfishcc forgot to mention you
  • 0
    @donnico this looks like a very dumb idea btw
  • 1
    @sunfishcc totally, yet is used.. I am at loss of words
  • 0
    @donnico Password, yo!
  • 0
    So wait, is this a Yarn issue then? not the cli you used from NPM?
  • 0
    @Vip3rDev apparently is a Yarn issue yes! Npm or yarn they both install the same packages :)
  • 0
    Don't install it globally then. Add the CLI to the devDepebdencies of the project you need it for, then run it via package.json-script (using its name like you would if it was installed globally) or from the terminal with ./node_modules/.bin/the-clis-name
  • 0
    @heikomat nah not possible is a cli written in node but is to manage IOT devices and is not a dependency of a project
Add Comment