There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
You can’t, obviously. I know how to read code, but I still rarely do it since it’s very time consuming. Usually, if I’m nervous about something, I’ll first look at the author and see if they’re well-known, or at least tied to a real identity. In the rare cases that I have reviewed a code base (I’m not a security expert or anything) to check for malware, the things I looked for were:
obvious red flags, like urls to fishy sites, or calls to filesystem APIs where it doesn’t make sense, paths that it shouldn’t be trying access, etc
anything that looks obfuscated, poorly written, or delibrately designed to be difficult to read
But if it’s anything related to Node/NPM, I always use a throwaway rootless podman container without filesystem access. Even if the author is trustworthy, their dependency graph is likely a bag of used needles that they picked up on the side of the road.