The widely used JavaScript package manager npm is the latest technology to become closely examined by the security community after it was discovered that attackers were using it for malicious purposes.
Security company WhiteSource has detected over 1,300 malicious npm packages and has released a threat report detailing its findings. The malware detected was being used to steal credentials, steal crypto, and run botnets.
“Being the world’s largest software registry that developers use to share packages, and many organizations use to manage private development, npm is also a source of great risk to application’s security,” WhiteSource wrote in the report.
Using its Diffend malware detection platform, WhiteSource determined that Friday, Saturday, and Sunday were the most popular days for attackers to release their malicious software.
The report also details how malicious npm packages could have an impact on the software supply chains. This recent attack marks a shift in attackers moving their attacks upstream by infecting components that will be distributed downstream. According to WhiteSource, possible attack surfaces like this in the supply chain include software dependencies, version control systems, testing tools, deployment tools, cloud hosting providers, and applications.
WhiteSource also listed five important things that companies should understand about npm package security:
- Attackers know that open source is a good way into a software supply chain because developers often don’t have the time to read every line of code in every package and update when needed.
- Many npm packages download additional resources when downloaded, which makes it difficult to review and analyze the content of packages
- Malicious actors can upload inactive code to a package to see how long it will be detected and thus plan out how long they will have to conduct an actual attack
- Npm packages by default have permission to do whatever they want once downloaded
- Npm packages on average depend on over four other packages, which leads to what’s known as “Dependency Hell” where it is hard to filter out the noise and thus easy for attackers to slip in a package dependency chain and compromise a popular library.
The best practices to avoid being subject to a npm attack, according to WhiteSource, include many of the same best practices as always: deploying a tool that can verify package sources, shifting security left, educate developers, etc.