As someone running Red Hat, with no idea what NPM dependency means, what am I supposed to do?
I haven't updated in like a week, so there's (hopefully a good thing) that.
I am no expert, but here's what I did for starters:
Bash:
npm config set ignore-scripts true
This tells npm not to run any preinstall/postinstall scripts. This is how the attack fires. I only looked at the problem from the point of view of a developer. So sys-admins probably have more problems that I don't know about.
Also I'm avoiding npm calls until this is over, then afterwards I'll re-grab packages and setup a package-lock.json when I'm done so that I have hashes and don't auto-grab the newest thing. If an old package has an advisory, or I really need something new, I'll update then and not before.
Anyway, I'm new to all of this. Others here will have far better advice than I can provide.
