This article is more than 1 year old
Worried about occasional npm malware scares? It's more common than you may think
WhiteSource says it spotted 1,300 malicious JavaScript packages in 2021 alone
Malware gets spotted in GitHub's npm registry every few months, elevating concerns about the software supply chain until attention gets diverted and worries recede until the next fire drill.
Incidents like the sudden removal of left-pad
from npm in 2016 or the subversion of faker.js
and colors.js
last month get noticed, but much of the mischief on npm flies under the radar.
WhiteSource, a security firm based in Israel, says that in 2021, it detected 1,300 malicious npm packages. It reported them to npm, which subsequently removed the malware without fanfare.
The npm registry is an online repository for distributing code packages that provide ready-made functions to developers using JavaScript and related languages. Because npm is open to anyone, and allows code uploads without rigorous review, malicious code shows up from time to time and those overseeing the registry are then obligated to make some effort to remove the code and minimize the damage.
The potential for damage is significant because npm packages often include other packages as dependencies, so a given app may have several layers of potential attack surface. As one 2019 study [PDF] found, "Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers."
The situation is similar though less extreme at package registries for other languages like the Python Package Index (PyPI), RubyGems.org, and the Comprehensive Perl Archive Network (CPAN).
The npm registry is larger than its peers, with 1.8 million packages, each of which has an average of about 12 different versions. The closest contender is Java's Maven Central, with about 457,000 packages at the moment.
Online crims move in
WhiteSource, in a report titled "Popular Javascript Package Registry Is a Playground For Malicious Actors," summarizes what it found in the 1,300 malicious packages spotted last year by company researchers.
The npm registry receives some 17,000 new packages daily or 6.2 million over the course of a year. And while finding 1,300 bad apples among the new and the preexisting packages during that time period shows that poisoned packages are rather rare overall, there's still reason to be concerned given the consequences of being victimized.
"A worrying fact is that almost 14 per cent of all the packages detected were designed to steal sensitive information like credentials and other data present in environment variables," the WhiteSource report says.
- JavaScript dev deliberately screws up own popular npm packages to make a point of some sort
- GitHub fixes authorisation vulnerability in the NPM JavaScript package registry
- NPM packages disguised as Roblox API code caught carrying ransomware
- If you're using this hijacked NPM library anywhere in your software stack, read this
Most of the malware detected (~82 per cent) is designed for reconnaissance – gathering information that may be useful for targeting future attacks. Just over 2 per cent of the malware was crafted for remote code execution.
The company notes that while most of the malicious packages detected have no specific target, some, like @grubhubprod/cookbook
, clearly have a specific victim in mind.
"This package and a couple of similar ones were used in an attempt to get into the company, Grubhub," the report says. "The probable vector of this attack was the dependency confusion approach. Upon installation of this package, it would intercept all available environment variables data and send it to a remote location."
The company makes a number of recommendations, which largely boil down to not trusting packages blindly, paying attention to changes, and generally taking reasonable precautions. And if history is any guide, these will largely be ignored.
The npm registry, however, looks likely to avoid the risk of noncompliance by making security a requirement, at least in the context of login authentication. On Tuesday, Myles Borins, staff product manager for open source at GitHub, announced mandatory use of two-factor authentication (2FA) for the maintainers of the top 100 npm packages, as measured by dependents. Obligatory 2FA will eventually be required for all those publishing packages via npm.
GitHub is also working on implementing WebAuthn for hardware security keys; both of these initiatives make it less likely that miscreants will be able to hijack the accounts of those maintaining popular packages in order to push poisoned updates to a mass audience.
"We are committed to improving the security of the JavaScript and broader open source supply chain," explained Borins. "As we make progress on larger initiatives like WebAuth and enrolling all high-impact package maintainers in 2FA, we will continue to make smaller iterative improvements in the registry." ®