如果你在 npm 包(你的或其他人的)中发现恶意软件,你可以将其报告给 npm 安全团队,以帮助保持 Javascript 生态系统的安全。

If you find malware in an npm package (either yours or someone else's), you can report it to the npm Security team to help keep the Javascript ecosystem safe.

注意:npm 包中的漏洞应直接报告给包维护者。我们强烈建议你私下进行。你可以使用 npm owner ls <package-name> 找到有关包维护者的联系信息。如果源代码托管在 GitHub 上,请参考存储库的 安全政策

Note: Vulnerabilities in npm packages should be reported directly to the package maintainers. We strongly advise doing this privately. You can find contact information about package maintainers with npm owner ls <package-name>. If the source code is hosted on GitHub please refer to the repository's Security Policy.

npm Security 如何处理恶意软件

How npm Security handles malware

恶意软件是 npm 安全的主要问题,我们已经从注册表中删除了数百个恶意包。对于我们收到的每个恶意软件报告,npm Security 都会采取以下措施:

Malware is a major concern for npm Security and we have removed hundreds of malicious packages from the registry. For every malware report we receive, npm Security takes the following actions:

  1. 确认报告的有效性。

    Confirm validity of the report.

  2. 从注册表中删除包。

    Remove the package from the registry.

  3. 发布包的安全占位符。

    Publish a security placeholder for the package.

  4. 发布提醒社区的安全公告。

    Publish a security advisory alerting the community.

作为我们流程的一部分,我们确定是否应该禁止上传包的用户账户。我们还会在适用的情况下与第三方合作。

As part of our process we determine whether the user account who uploaded the package should be banned. We also cooperate with 3rd parties when applicable.

报告恶意软件

Reporting malware

  1. 收集有关恶意软件的信息。

    Gather information about the malware.

  2. 在软件包页面上,单击报告恶意软件。

    On the package page, click Report malware.

  3. 在恶意软件报告页面上,提供有关你自己和恶意软件的信息:

    On the malware report page, provide information about yourself and the malware:

    • 名称:你的名字。

      Name: Your name.

    • 电子邮件地址:npm 安全团队可以用来与你联系的电子邮件地址。

      Email address: An email address the npm Security team can use to contact you.

    • 包名称:包含恶意软件的包的名称。

      Package name: The name of the package that contains the malware.

    • 包版本:包含恶意软件的包的版本。包括所有受影响的版本。

      Package version: The version of the package that contains the malware. Include all affected versions.

    • 恶意软件描述:恶意软件及其影响的简要说明。包括有助于我们的研究人员确认报告的参考、提交和/或代码示例。

      Description of the malware: A brief description of the malware and its effects. Include references, commits, and/or code examples that would help our researchers confirm the report.

  4. 单击发送报告。

    Click Send Report.

npm 中文网 - 粤ICP备13048890号