npm i ... not long after
pass my-password allows a malicious package to steal my entire password store.
pass as a password manager, on Linux. And like probably all Linux users, I use
sudo to run commands as root.
The first time I retrieve a password with
pass my-password, I need to type the passphrase of my GPG private key. Then, the GPG agent will keep this passphrase in memory for a few minutes.
sudo: running a few consecutive
sudo commands will only ask for the password once.
Now, when I install packages with
npm install ... (or with Pip, or any other package manager), these packages can contain scripts that can be run.
This poses an incredibly dangerous security issue: if I run
npm install ... not long after I ran
pass, a malicious package could steal the entire content of my password store. Same issue with sudo. Even more incredible: it's very hard to find people on the interned who care about it.
The first solution that comes to my mind is to set the timeout for the GPG agent and sudo to
Another one is to open every projects I work on in a development container (a docker container), to prevent scripts in it to access my home folder. But it would require to constantly create containers for new and existing projects, which can take quite some time.
Can you think of any other solution?
npm i ...not long after
pass my-passwordallows a malicious package to steal my entire password store
Yes, but not just that. Running
npm i ... at any time before
pass my-password allows a malicious package to steal your entire password store. A malicious package can inject code somewhere (for example the
pass executable or a library that it uses) so that whenever sensitive data becomes accessible, the malicious entity will have access to it as well.
As soon as an environment is compromised, it's game over.
The only solution is to run untrusted code in an isolated environment.
(Mind you, why are you installing development packages you don't trust? Are they somehow secure enough for the users of the product you're developing, but not for yourself?)
External links referenced by this document: