An NPM installer, which installs PureScript, was found containing malicious code. The discovery was made by software developer Harry Garrood and team the previous week. In addition to that, two exploits to make the malicious code work were also detected. As stated by Garrood, the malicious code was inserted to stop the NPM installer from running correctly. The installer was created by Japanese developer Shinnosuke Watanabe.
Garrood says that the code prevented the download of the installer subsequently crashing the application. The reason was the presence of the two exploits which activated the code. “The first exploit did this by breaking the load-from-cwd-or-npm package so that any call to loadFromCwdOrNpm() would return a PassThrough stream instead of the package we were expecting,” Garrood explained.
“The second iteration of the exploit did this by modifying a source file to prevent a download callback from firing,” Garrood further added.