(Malware/Adware???) Suspicious code in jQuery npm package...

[Stephen Carnam]

Noob to nodejs (but not to JavaScript). Today I needed jQuery functionality in a nodewebkit app I'm writing and so I ran "npm install jquery". However, I noticed the following show up in Netbeans as it tracks remote dependencies being referenced now that jQuery is present; these are curiously named:

show_ads.js

urchin.js

And appear to be coming from a "testdata\trackerchecker.html" page, in a folder along with a bunch of hidden ".tmp" files in the jQuery node_modules dependency, htmlparser version 1.7.6 (the current version is 2.0.0). However, this "testdata" doesn't appear in the current version or archive in github. Further examination is showing that this page is some sort of torrent checker software. What the heck does this have to do with jQuery and does anyone know if it's legit (suspect as it's not in the author's github version)? 

Is this just a poorly chosen testing document, or does "piratebits" and "pi sexy" have any relevance here?

Screenshot attached...

[Rick Waldron]

Please file a bug for this http://bugs.jquery.com and probably with https://github.com/tautologistics/node-htmlparser

Thanks

Rick

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Alex Kocharin]

 

"Assume stupidity, not malice".

 

Those two files are web bugs. Very common annoyance. I wish Firefox would've denied any scripts that do not originate from the same domain by default...

 

People just don't know how to use .npmignore, that's all. Take a look at what "less" package contains, you'll be impressed. :)

 

 

20.12.2013, 04:13, "Stephen Carnam" <steve...@gmail.com>:

--

[Stephen Carnam]

Cleared by npm cache and uninstalled/re-installed nodejs just to double check (in case it's my Mac that's infected). Still showing up using npm. Yet it's not in git nor online source browsing. Filed with htmlparser author. I know it's not apart of jQuery core!

Thanks for your quick reply :-)

[Chris Winberry]

Hey, htmlparser author here. I got concerned when I heard something malicious might have made its way into the package.

No malice but I will cop to stupidity. A while back (2 years now? wow) I made a quick fix and did not realize I had some vestiges of test data while working on a rewrite. That data was just some website being scraped while validating the parser that did not get cleaned up. Yes, .npmignore is a good idea but it won't prevent random mistakenly created file/folders from sneaking in; would be great if there were a whitelist-type dotfile for npm but I digress...

My apologies for the confusion and alarm. I have pushed up a v1.7.7 that has all that cleaned up.

[Stephen Carnam]

No worries. Thanks for the explanation! I'm still learning and it's all good. Thank you for your contribution and feedback; I'll know to watch my own source folders in the future too. 

[Alex Kocharin]

Hi Chris,

 

Actually, you can submit a whitelist there. It should follow the same semantics as .gitignore, and gitignore fully supports whitelisting like that:

 

```

*

!something

!foo.*

```

 

It's just rarely seen because it's a maintenance burden.

 

 

20.12.2013, 05:20, "Chris Winberry" <ch...@winberry.net>: