This article is more than 1 year old

Malicious code ousted from PureScript's npm installer – but who put it there in the first place?

Account hijacking claimed by some but it may just be a developer behaving badly

Another JavaScript package in the npm registry - the installer for PureScript - has been tampered with, leading project maintainers to revise their software to purge the malicious code.

After a week of reports of unexpected behavior, software developer and PureScript contributor Harry Garrood on Friday published his account of the affair.

The installer, invoked by typing npm i -g purescript from the command line, was designed to install PureScript, a programming language that compiles to JavaScript, on the user's system using the npm command line interface. It gets used about 2,000 times a week.

According to Garrood, the installer was originally developed and maintained by Shinnosuke Watanabe (@shinnn), a developer based in Japan. The PureScript maintainers had disagreements with Watanabe about the upkeep of the installer and asked him to transfer the project to their control.

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript


"He begrudgingly did so," explained Garrood in his post, noting that the 0.13.2 PureScript compiler release that debuted on July 5th is the first since the project team took over management of the installer package. And that's where the problems started.

The PureScript installer has dependencies also under the control of Watanabe, or rather it did until they were removed earlier this week: the npm packages load-from-cwd-or-npm and rate-map. Garrood says malicious code was introduced into each of these packages at separate times to break the recent revision of the PureScript installer – but not previous versions published by Watanabe.

"@shinnn claims that the malicious code was published by an attacker who gained access to his npm account," explained Garrood. "As far as we are aware, the only purpose of the malicious code was to sabotage the PureScript npm installer to prevent it from running successfully."

Compromised developer accounts represent an ongoing concern among all the software package registries. Earlier this month, a Ruby gem (package) was hijacked. And in June, a vulnerability in an npm package was exploited to steal cryptocurrency, echoing a similar incident that came to light in November last year.

But it's not clear that Watanabe's account was actually hijacked; this may just be a case of one developer lashing out at others over personal disagreements.

A mole

NPM Inc settles union-busting complaints on third try – after CEO trolled for ordering internal mole hunt


Garrood implies that Watanabe is to blame for the security lapse but stops short of accusing him explicitly. He calls the compromise a malicious act without attributing it to anyone. At the same time, he cites behavior that's difficult to explain – he claims that Watanabe deleted a GitHub issue post on July 9 made by developer Jolse Maginnis indicating that his load-from-cwd-or-npm package is breaking the installer.

In his analysis of the malicious portion of load-from-cwd-or-npm, Garrood observes that the purpose of a specific conditional statement that had been added "seems to be to ensure that the malicious code only runs when our installer is being used (and not @shinnn’s)."

On Twitter, developer Vincent Orr chastised Garrood for insinuating that Watanabe is to blame, to which Garrood replied, "I've deliberately not assigned any blame, just relayed facts."

Orr however suggests that's inconsistent with mentioning Watanabe's GitHub handle a dozen times.

The Register emailed Garrood and Watanabe seeking comment but we've not heard back.

We've also asked NPM to elaborate on whether it has investigated the incident or taken any action against Watanabe based on these allegations. No word yet. ®

More about


Send us news

Other stories you might like