目录

报告 npm 包中的恶意软件

目录

如果你在 npm 包(你的或其他人的)中发现恶意软件,你可以将其报告给 npm 安全团队,以帮助保持 Javascript 生态系统的安全。

¥If you find malware in an npm package (either yours or someone else's), you can report it to the npm Security team to help keep the Javascript ecosystem safe.

注意:npm 包中的漏洞应直接报告给包维护者。我们强烈建议你私下进行。你可以使用 npm owner ls <package-name> 找到有关包维护者的联系信息。如果源代码托管在 GitHub 上,请参考存储库的 安全政策

¥Note: Vulnerabilities in npm packages should be reported directly to the package maintainers. We strongly advise doing this privately. You can find contact information about package maintainers with npm owner ls <package-name>. If the source code is hosted on GitHub please refer to the repository's Security Policy.

npm Security 如何处理恶意软件

¥How npm Security handles malware

恶意软件是 npm 安全的主要问题,我们已经从注册表中删除了数百个恶意包。对于我们收到的每个恶意软件报告,npm Security 都会采取以下措施:

¥Malware is a major concern for npm Security and we have removed hundreds of malicious packages from the registry. For every malware report we receive, npm Security takes the following actions:

  1. 确认报告的有效性。

    ¥Confirm validity of the report.

  2. 从注册表中删除包。

    ¥Remove the package from the registry.

  3. 发布包的安全占位符。

    ¥Publish a security placeholder for the package.

  4. 发布提醒社区的安全公告。

    ¥Publish a security advisory alerting the community.

作为我们流程的一部分,我们确定是否应该禁止上传包的用户账户。我们还会在适用的情况下与第三方合作。

¥As part of our process we determine whether the user account who uploaded the package should be banned. We also cooperate with 3rd parties when applicable.

报告恶意软件

¥Reporting malware

  1. 收集有关恶意软件的信息。

    ¥Gather information about the malware.

  2. 在软件包页面上,单击报告恶意软件。

    ¥On the package page, click Report malware.

  3. 在恶意软件报告页面上,提供有关你自己和恶意软件的信息:

    ¥On the malware report page, provide information about yourself and the malware:

    • 名称:你的名字。

      ¥Name: Your name.

    • 电子邮件地址:npm 安全团队可以用来与你联系的电子邮件地址。

      ¥Email address: An email address the npm Security team can use to contact you.

    • 包名称:包含恶意软件的包的名称。

      ¥Package name: The name of the package that contains the malware.

    • 包版本:包含恶意软件的包的版本。包括所有受影响的版本。

      ¥Package version: The version of the package that contains the malware. Include all affected versions.

    • 恶意软件描述:恶意软件及其影响的简要说明。包括有助于我们的研究人员确认报告的参考、提交和/或代码示例。

      ¥Description of the malware: A brief description of the malware and its effects. Include references, commits, and/or code examples that would help our researchers confirm the report.

  4. 单击发送报告。

    ¥Click Send Report.

npm 中文网 - 粤ICP备13048890号