Hi.
NPM nodejs package manager doesn't check for https signatures comunicating with the central repo, which could give an attacker with MITM capabilities the possibility to execute code.
The maintainer considers this to be a bug that is on his "eventually" list.
Some interesting quotes:
You should be very careful telling those you've never met how little they care about something. If I didn't care about security at all, I wouldn't work on it at all. However, you are making the mistake of most security-focused engineers, and apparently missing that there is anything else to be concerned with. This is a classic cognitive bias of over-estimating the threat of a low-probability failure mode.
If there are linux distros picking up such an immature and developmental project like npm, then it is to their folly. I never suggested that they do such a thing, and in fact, have campaigned several times to have npm removed from other package manager indexes. People should install node and npm from the source code. In a year or two, it might be a good idea, but for now, npm is still changing too quickly, and is too unstable.
I find it quite baffling, since node is a pretty popular language and npm is the most pupular way for them to install packages, but hey.
I just thought it would be interesting to let you guys know and would be quite interested to hear your thoughts.
Thanks,
Pedro
--