A security researcher has released a new tool designed to help developers check for npm packages affected by manifest confusion issues recently discovered in the registry.
Felix Pankratz, a sysadmin and self-professed hacker, published the tool on GitHub on Monday, claiming that a Python script can check npm package manifests for mismatches and recursively check all package dependencies. claimed.
You can read more about manifest confusion here. Apparent disruption threat undermines trust across Npm registries
The confusion was clearly revealed last week when former npm and GitHub manager Darcy Clark revealed an issue with the npm registry. This issue may allow threat actors to hide malicious activity or pose other risks.
The issue itself stems from the fact that npm does not validate manifest information (metadata) appearing in the registry against the actual contents of the associated package or “tarball”.
This means that malicious package publishers can hide sensitive information such as the dependencies the package contains or the scripts the package runs.
Thus, the apparent confusion could be exploited by an attacker to install unknown or unlisted dependencies, execute unknown scripts, and launch downgrade attacks. Developers could also be at risk of cache poisoning, where a stored package doesn’t match the name and version of the package in the registry, Clark argued.
With no official response from npm or its owner GitHub, Pankratz has stepped up its offering of easy-to-use scripts for developers.
Clark initially persuaded them to make the findings public after six months of silence on the issue.
“I believe that the potential impact/risk of this issue is actually much greater than originally understood and I submitted a HackerOne report on March 9th with my findings. They closed the ticket and announced that they were working on the issue “internally” on March 21st. ” he explained last week.
“To my knowledge, they have not made any significant progress and have not made the matter public.”
