I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff
It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724
tldr; This issue allows an attacker to include a 'hidden dependency' in a package that won’t show up on the npm website, even though the CLI will actually install it.
The issue is caused by a disparity between a package's manifest and its tarball contents, which npm does not enforce are consistent. And unfortunately, a lot of data – such as the dependencies, install scripts, license, etc. – is duplicated between the package.json in the tarball and the metadata served by registry.npmjs.org. And every tool uses a different source of truth.
Socket (disclosure: my startup), I'm proud to say, has been using the correct manifest file - the package.json inside the tarball - for all security analysis, which aligns with the installation behavior of every major package manager. This means any attempt to exploit this technique would not have evaded Socket’s analysis. We wrote more about manifest confusion here: https://socket.dev/blog/manifest-confusion
I like The Register, but perhaps the URL should be updated, since this is mostly blogspam wrapping the original source (which is linked from the article): https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosyst...