NPM: not detecting postinstall scripts

[emilva]

Hello team! Very cool tool you have created, and I am glad for the NPM support!

When testing this tool against different malicious packages I get no results, I took som examples from https://github.com/spaceraccoon/npm-zoo

For example:
https://github.com/spaceraccoon/npm-zoo/tree/master/packages/pizza-pasta/pizza-pasta-1.0.3

guarddog npm scan package.json
Found 0 potentially malicious indicators scanning package.json

guarddog npm verify package.json
Scanning using at most 16 parallel worker threads

Should this one be detected, or am not running the correct commands?

Cheers,

emil

[christophetd]

Thanks for the report! We'll look into it shortly and get back to you

[christophetd]

You should be running guarddog npm scan ./pizza-pasta-1.0.3:

Note that the ./ allows guarddog to understand that you're asking it to scan a local folder.

• guarddog verify ./pizza-pasta-1.0.3/package.json will scan the dependencies described in this package.json file (which isn't what you want)
• guarddog scan package.json will scan a remote npm package called "package.json"

Hope that clears things up!

[emilva]

Thanks @christophetd that clear things up!

I did try with guarddog npm scan . to scan the local directory, but then it also tried to check against the registry.

Cheers,

emil

[christophetd]

that's a good point, it should consider it a local path

[christophetd]

Should be addressed by #176. Thanks for the report!

[emilva]

Nice, you are too fast! Thanks!