A scanner darkly

Detecting malicious JavaScript packages in the npm ecosystem has just become easier, following the launch of a new tool at the Black Hat Asia security conference in Singapore earlier today.

Npm is a popular open source package manager for JavaScript. More than 500 new packages are uploaded to the npm registry every day.

Vulnerabilities are predominately identified through an in-built audit feature that detects previously reported malicious packages (such as the eight million times downloaded event-stream).

A new tool unveiled today at Black Hat Asia, npm-scan, aims to further improve the security of the npm ecosystem through a heuristic-based analysis utility that searches for bad code.

“What we’re trying to do is add another layer of checking on top of [existing audit features],” said Eugene Lim, one of the creators behind npm-scan.

Lim explained how security platforms like npm-audit and snyk fall short by relying on databases of disclosed vulnerabilities, as opposed to actively looking for suspicious behavior within the packages themselves, which sometimes contain over 2,000 dependencies.

“So that’s the space we’re filling,” Lim told The Daily Swig. “We’re actually adding these heuristics and adding these scans to look into the actual code and find potentially malicious lines or problems.”

He added: “We want people to scan the packages and write the reports themselves.”

Lim and his team – which also includes Matthew Wong and Bernard Lim – began the difficult task of writing heuristics for detecting malicious npm packages last December at a hackathon in Singapore.

“The reason why it’s so hard to write heuristics is that it’s hard to get positive, or real examples of malicious packages,” said Lim.

“Once a package gets reported as malicious, npm takes it off the registry and we can’t really access it,” he said.

“We had to ask other security developers to give us examples of the malicious packages to work on.”

Heuristic scanning spots threats by finding specific commands that were not intended for the original application.

“So if, for example, the package is looking up your Content Security Policy there isn’t really a good reason for doing that unless the package is trying to circumvent your security policy,” said Lim.

“Stuff like the package looking up specific functions, or looking up specific parts of your application.”

The team has set-up an open source project, npm-zoo, a repository for previously identified malicious npm packages. Researchers can use the repository to train and fine tune heuristic (automatic detection) rules.

During recent backtest, npm-scan was able to successfully detect a malicious package that was originally reported in January.

“This proves that we have written the heuristics correctly, and that it will continue to work for new malicious packages that may come out,” said Wong.

“We’re hoping it becomes more of a community effort where everyone is pitching in and thinking about, or writing, new heuristics that can catch malicious packages.”

It’s also hoped that npm-scan can help enlist a security-by-design workflow with developers from the start, who may be more focused on getting their code out than following best practices in secure development.

“It’s really hard to do security right, especially with the amount of new people who are getting into web development and computing every day,” said Wong.

“We need to make it easy for these people to write secure code, and that’s where we want to fit in with this project. We help people to get it right from the start.”


RELATED Can we turn security into an enabler? Only if developers and researchers work together