I have never thought about it and just downloaded random nodes from the "manage pallete" tab. Is It possible? Are those packages checked somehow? Or should i be more careful.
Just wondering. Thank you in advance for your answers.
The Flow Library doesn't do any validation of the functionality provided by the nodes.
It is always worth taking a closer look at a module before downloading it. For example, how many downloads has it had? Is it a popular module?
If anyone does see anything of concern they can click the 'report module' link on its Flow Library page and then we can take a look.
Great Question
Any software platform that can execute code from other people is subject to potentially malicious software. Though it is far more likely that something will be accidental rather than deliberate. But it isn't unheard of for a popular library to have something slipped into it.
Not much you can do except be careful who's software you install and restrict updates if you are doing something sensitive.
It is far more likely that an Internet connected device will be compromised than something malicious slipped into a custom node.
Not node-red specifically, but the underlying stuff its built upon has had some "inside jobs" putting malicious code in the repos. Some of these are pretty old news.
https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/
Pretty easy to find more if you search.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
