• go and download some code from the internet
• created by someone you have never met and do not know
• unpack this code
• and run it on your computer without looking at its source

• running it on your company servers?
• or in you CI pipelines during production deployment?

The whole "package" managers ecosystem is built on trust.

We blindly trust package maintainers

that their code is safe.

My computer

Registry

My computer

Registry

• Attacker gains an access to the registry acting as a verified package maintainer
• Publishes new version of a package containing malicous code
• The package can get installed and executed by trusting developers all around the world 

• targeted phishing campaigns
• by gaining access to maintainer devices through another methods (code injection, malware...)

• disallow automatic code run of just installed package ("postinstall" scripts in case of NPM)
• lock your versions using lock files (package-lock.json, yarn.lock...)
• do not allow automatic updates (specify exact versions without ~, ^, >= and similar operators
• run `npm audit` periodically, ideally in your CI pipelines
• use 3rd party services to scan for vulnerabilities