Malware gets spotted in GitHub’s npm registry every few months, elevating concerns about the software supply chain until attention gets diverted and worries recede until the next fire drill.
Incidents like the sudden removal of
left-pad from npm in 2016 or the subversion of
colors.js last month get noticed, but much of the mischief on npm flies under the radar.
WhiteSource, a security firm based in Israel, says that in 2021, it detected 1,300 malicious npm packages. It reported them to npm, which subsequently removed the malware without fanfare.
The potential for damage is significant because npm packages often include other packages as dependencies, so a given app may have several layers of potential attack surface. As one 2019 study [PDF] found, “Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers.”
The situation is similar though less extreme at package registries for other languages like the Python Package Index (PyPI), RubyGems.org, and the Comprehensive Perl Archive Network (CPAN).
The npm registry is larger than its peers, with 1.8 million packages, each of which has an average of about 12 different versions. The closest contender is Java’s Maven Central, with about 457,000 packages at the moment.
Online crims move in
The npm registry receives some 17,000 new packages daily or 6.2 million over the course of a year. And while finding 1,300 bad apples among the new and the preexisting packages during that time period shows that poisoned packages are rather rare overall, there’s still reason to be concerned given the consequences of being victimized.
“A worrying fact is that almost 14 per cent of all the packages detected were designed to steal sensitive information like credentials and other data present in environment variables,” the WhiteSource report says.
Most of the malware detected (~82 per cent) is designed for reconnaissance – gathering information that may be useful for targeting future attacks. Just over 2 per cent of the malware was crafted for remote code execution.
The company notes that while most of the malicious packages detected have no specific target, some, like
@grubhubprod/cookbook, clearly have a specific victim in mind.
“This package and a couple of similar ones were used in an attempt to get into the company, Grubhub,” the report says. “The probable vector of this attack was the dependency confusion approach. Upon installation of this package, it would intercept all available environment variables data and send it to a remote location.”
The company makes a number of recommendations, which largely boil down to not trusting packages blindly, paying attention to changes, and generally taking reasonable precautions. And if history is any guide, these will largely be ignored.
The npm registry, however, looks likely to avoid the risk of noncompliance by making security a requirement, at least in the context of login authentication. On Tuesday, Myles Borins, staff product manager for open source at GitHub, announced mandatory use of two-factor authentication (2FA) for the maintainers of the top 100 npm packages, as measured by dependents. Obligatory 2FA will eventually be required for all those publishing packages via npm.
GitHub is also working on implementing WebAuthn for hardware security keys; both of these initiatives make it less likely that miscreants will be able to hijack the accounts of those maintaining popular packages in order to push poisoned updates to a mass audience.