Saw this unfolding on GitHub, very fun stuff.
The developer could handle this better by marking the package as unmaintained I guess.
But they never signed up for that responsibility.
Technology-wise this could be improved at the language/runtime level by having capability-based access control and jailed unprivileged modules.
Realistically, no matter how much the module calls
require(), it shouldn’t be able to make network calls. And even if we need to let a module have direct network access (not the case at all here), we could pass in a capability to make requests to only a specific domain list for instance.
Even more glaringly, of course it should not have been able to modify the export of
bitcore-wallet-client/lib/credentials.js, that’s just ridiculous.