May I have accidentally downloaded a malicious npm package?

today I wanted to try linking my dist folder to npm and I tried npm link dist but that downloaded this package https://www.npmjs.com/package/dist?activeTab=dependencies I've heard about some malicious packages and I got paranoia, does anyone know if I should do something?
npm
dist
a cli tool and library to create development and production versions for the browser. Latest version: 0.1.2, last published: 11 years ago. Start using dist in your project by running npm i dist. There are 28 other projects in the npm registry using dist.
8 Replies
Halu
Halu11mo ago
there are no install or postinstall scripts on it (and deps are popular packages). so you haven't executed anything unexpected ur prob fine, just uninstall it
Aless
AlessOP11mo ago
Ok, thank you I know dependecied can have scripts too tho
Halu
Halu11mo ago
They are reasonably popular enough i don't think you need worry about it too much you are right tho, it would be nice to have a tool to search packages at depth for such scripts you can search ur node_modules for them tho (assuming the package.json didn't trigger a self-edit) heres some links if you wanna learn a little more about them malicious packages - https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities - https://github.com/npm/npm/issues/17724#issuecomment-314483466 - https://blog.phylum.io/phylum-discovers-npm-package-mathjs-min-contains-discord-token-grabber/ If ur not convinced tho, you can always take up with NPM directly.
If you believe you have identified a dependency confusion package, please let us know!
link prob overkill in this scenario, but i'd never criticize someone for prioritizing their computers security
Aless
AlessOP11mo ago
Or I could run an antivirus scan first, and change my passwords Resetting my pc would be the safer option but I have school tomorrow and many other stuff to do
T
T11mo ago
Do you have any legitimate reason to believe that this package is malicious? I think you may be overreacting in this particular scenario
Aless
AlessOP11mo ago
Probably, I have paranoia issues
T
T11mo ago
All that happened is you accidentally installed an npm package from 11 years ago. It looks safe to me. Just old and not particularly useful
Halu
Halu11mo ago
just buy a new computer man, its game over! /s
Want results from more Discord servers?
Add your server