Developers using the wildly popular npm registry to download JavaScript code may unwittingly be exposed to a range of cyber-threats because it fails to check the metadata of packages, it has emerged.
The GitHub-owned software registry is said to be the world’s largest, relied upon by 17 million global developers.
However, former GitHub and npm manager, Darcy Clarke, explained in a blog post this week that the registry has failed to take action, despite knowing about the issue since last November.
“I believed the potential impact/risk of this issue was actually far greater than originally understood and I submitted a HackerOne report with my findings on March 9. GitHub closed that ticket and said they were dealing with the issue ‘internally’ on March 21st,” Clarke explained.
“To my knowledge, they have not made any significant headway, nor have they made this issue public – instead, they’ve actually divested their position in npm as a product the last six months and refused to follow-up or provide insight into any remediation work.”
The issue itself arises from the fact that npm doesn’t validate manifest information (metadata) with the actual contents of an associated package or “tarball.”
This means that, in theory, a package publisher could conceal important information such as which dependencies it has and which scripts the package runs.
Clarke said that this in turn presents several risks to npm users:
- Cache poisoning, where a saved package doesn’t match the name and version of the one in the registry
- Installation of unknown or unlisted dependencies, thus tricking security and audit tools
- Execution of unknown and unlisted scripts, again tricking security/audit tools
- A potential downgrade attack where the version spec saved into projects is for a unspecified, vulnerable version of the package
Sonatype staff security researcher Ax Sharma, argued that the discovery of manifest confusion illustrates the importance of developers not relying on metadata alone, as these can be full of inaccuracies.
“This does not necessarily stem from malicious behavior, but could occur when legitimate projects are cloned or forked, or when the new developer leaves older metadata within the newer package’s manifest file or its npm registry page,” he added.
“The key lies in not blindly trusting manifests and using security tooling that performs a deeper analysis, such as hash-based analysis of the malicious or vulnerable files – known as advanced binary fingerprinting.”
If developers fail to use such analysis tools, they may be exposed to attacks where threat actors inject malicious dependencies or drop malicious install scripts that are subsequently missed by solutions relying solely on manifest data, Sharma concluded.