It turns out that developers using the hugely popular npm registry to download JavaScript code can be unknowingly exposed to a variety of cyberthreats due to their inability to check package metadata. Did.
GitHub owns the world’s largest software registry, used by 17 million developers worldwide.
However, Darcy Clarke, former GitHub and npm manager, explained in a blog post this week that the registry had failed to address the issue, even though it had been aware of the issue since last November.
“I believe that the potential impact/risk of this issue is actually much greater than originally understood and I submitted a HackerOne report on March 9th with my findings. They closed the ticket and announced that they were handling the issue “internally” on March 21st.cent‘ explained Clark.
“As far as I know, they haven’t made any noticeable progress and haven’t publicized the issue. Rather, they’ve actually stripped npm of their status as a product over the past 6 months and are no longer following up on any issues. Refused to provide updates or insights.” Restoration work. “
The problem itself stems from the fact that npm does not use the actual contents of the associated package or “tarball” to validate manifest information (metadata).
This theoretically means that a package publisher could hide important information such as what dependencies a package has, what scripts it runs, and so on.
Clarke said this poses some risks for npm users.
- Cache poisoning where the saved package does not match the name and version of the package in the registry
- Installation of unknown or unlisted dependencies fools security and auditing tools
- Execution of unknown and unlisted scripts, fooling security/audit tools again
- Possible downgrade attack if the version specification stored in the project is for an unspecified vulnerable version of the package
Ax Sharma, a security researcher on the Sonatype staff, found the obvious confusion was the importance of developers not relying on metadata alone, as metadata can be full of inaccuracies. claimed to show
“This is not necessarily due to malicious behavior, but if a legitimate project was cloned or forked, or if a new developer left old metadata in the new package’s manifest file or within its npm registry page, It can happen,” he added.
“It’s important not to blindly trust manifests and use security tools that perform deeper analysis, such as hash-based analysis of malicious and vulnerable files known as advanced binary fingerprinting. “
If developers are unable to use such analysis tools, threat actors may be exposed to attacks that inject malicious dependencies or drop malicious installation scripts, which are then exposed to manifest data only. Sharma concludes that solutions that rely on can miss these scripts.
