Is npm a Hotbed of Malware?
According to the report, WhiteSource tracked an average of 32 thousand new npm packages published every month during 2021. Even out of that yearly total of 384 thousand packages, your chance of grabbing the wrong code only goes up to 0.00338%.
Of course, no one programs it that way. But this does underline that you need to look very carefully at any npm code before pulling it into your project. For example, you’ll want to avoid new code or code that others have avoided.
On the other hand, do you want to take even a minute chance when the kind of attacks hiding in npm included:
- Software supply chain attacks: Used to steal data, corrupt targeted systems, and gain access throughout networks via lateral movement.
- Cryptojacking: Enables a threat actor to take control of a victim’s compute resources to mine cryptocurrency.
- Data stealing: Using keyloggers, screen scrapers, spyware, adware, bots, and more, attackers steal private and/or proprietary data from victims.
- Security research: Attackers create packages that falsely claim to be designed for security research but actually contain malicious code.
I don’t think you do.
True, most npm malware is just there to check out your site. But who wants a reconnaissance program cruising through your systems? I sure don’t!
In addition, by npm’s official count, an astronomical 20 billion package versions are downloaded every week. Clearly, few people are doing their due diligence when it comes to using npm packages.
By its very nature, npm is difficult to police. Npm enables you to use external libraries and supports dependency management. Combined this makes it all too easy to call third-party libraries and dependencies for your project. In addition, while in theory npm packages include everything needed for their functionality all too often, many packages download additional resources upon installation. Sure, you checked the specific program for security problems but what about all its dependencies and its downloads?
Can you say “dependency hell?” I can.
Secure the Software Supply Chain
Npm is a sterling example of why we need software supply chain security. And we need it now.
So it’s no surprise that “with more than 18,000 npm package versions published in 2021, there’s no question that npm is a valuable tool for developers,” explained Rami Sass, WhiteSource’s co-founder and CEO. But, “Unfortunately, that popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals.”
So, what can you do? Well, of course, WhiteSource would like you to download and eventually buy Diffend. Their tool checks to make sure you’re only using verified package sources and that you avoid most npm security traps. Using Diffend is actually a good idea.
In addition, WhiteSource has numerous other suggestions on how to defend yourself against common npm security holes. These include:
- Watch out for typosquatting and its friends. For example, sspec -> rspec; atlas-client -> atlas_client; damerau-levenstein -> damerau-levenshtein; or ruby-bitcoin -> bitcoin-ruby
- Never blindly assume ownership in any registry.
- Migrate from packages that are abandoned or take them over.
- Do not use packages that are fairly new (e.g. days old).
- Report unexpected behaviors and inconsistencies to package owners.
- Never install packages without running an assessment.
- Don’t install upgraded libraries without carefully reviewing the code.
- Make sure that dependency update tools that pull request (PR) updates have enough delay to time to verify packages updates.
- Do not use the same environment variable (ENV) for running specs, building containers, pushing things, etc.
Finally, always remember that the most damage to date from npm has not come from conventional malware at all. Instead, it’s come from developers screwing around with their npm libraries, Examples include the recent “colors.js” and “faker.js” mess and 2016’s infamous, “left-pad npm” episode.
In short, while I can’t call npm a “playground for malicious actors,” I can call it ripe for malware and unable to defend itself well from its inherent security problems. If you use npm, and I know many of you do, you must take steps to protect yourself.