The Daily Swig speaks to npm’s Adam Baldwin about improving security for the world’s biggest repository of open source software packages
The growth of Node.js has also given rise to the Node Package Manager (npm), the world’s largest repository of open source software packages.
In recent years, npm has become one of the most widely used Node.js tools, enabling thousands of developers to share code and simplify the development and distribution of their Node.js programs.
But like every software tool that becomes popular among developers and users, npm has also attracted the interest of malicious hackers who have used it to launch cyber-attacks against unsuspecting individuals and organizations.
What is npm?
npm is both a command-line interface (CLI) tool and a repository. The repository enables Node.js developers to publish and distribute reusable code and currently contains more than 800,000 packages.
The CLI tool enables Node.js developers to download and install packages in their applications.
Both the npm repository and the CLI tool are free. Although npm is an independent organization and project, because of its popularity, Node.js has bundled it with its main distribution.
npm saves a lot of time and effort for Node.js developers. Say you want to add a directory creation function to your Node.js application, instead of coding from scratch, you can use npm to integrate the mkdirp package into your project.
npm also manages your application’s dependencies, while keeping track of the packages that you add to your project.
When you distribute an application to users, npm will automatically resolve dependencies by downloading and installing the required packages. And if the maintainers of those packages release new versions, npm can update your project’s dependencies with a single command.
The open source and widespread nature of npm, as well as its ease of use, pave an entry for multiple security threats.
“The major security issues that we’ve encountered have been related to packages stored in the npm registry or the maintainers of the packages,” Adam Baldwin, vice president of security at npm, told The Daily Swig.
“Just like most package managers, the barrier to entry to publish packages to npm is very low, so a new package can contain just about any content.”
However, the security team at npm sees every newly published package before anybody else does.
“Internally, we have tooling that reviews where packages are published from as well as dynamic and static analysis, to try to gain an understanding of the intent of the package and if there are any anomalies,” Baldwin said, adding that npm also uses a machine learning-powered API to help with spam-related packages and maintainers.
But cybercriminals find clever ways to slip past these defenses.
In 2018, for instance, a cybercriminal managed to compromise event-stream, a very popular npm package, in order to infect it with malicious code and steal money from the Copay cryptocurrency wallet.
The malware-infected was distributed to more than eight million devices before it was discovered and fixed.
The maintainers of event-stream had granted a malicious actor publishing rights, a practice that is very common in open source communities.
They were then able to modify the package and add a dependency to a library that contained the obfuscated malicious code.
As soon as users of event-stream updated their npm packages, they automatically downloaded the malicious code onto their devices.
The past year has seen several similar attacks where hackers inject malicious code into popular packages.
“In terms of dev workflows, it’s essentially a package supply chain attack that slips very targeted, obfuscated code aimed at specific projects that use those packages, but the fallout is much wider due to the popularity of these packages,” said Eugene Lim, a security researcher and one of the developers behind npm-scan – a tool that sniffs out bad code in npm packages through heuristic-based analysis.
Sniffing out malicious packages
npm is regularly updating its tools to improve the platform’s security. In 2018, npm added the audit command, which helps find vulnerabilities in npm packages.
More recently, the organization added a feature that improves security for npm Enterprise, the commercial edition of the package manager.
“We’re always looking for ways to improve ecosystem security,” Baldwin said, while adding that nothing replaces an organization’s responsibility to audit and vet code they install or put into production.
“However, we’re working to make the signals and data that we collect and use internally more accessible to our users so that tools can be built to help further understand package risks,” Baldwin said.
Lim, however, believes more needs to be done to improve security.
“When malicious packages are reported and taken off the registry, their source code is no longer accessible,” he told The Daily Swig.
“Perhaps they could be made available to researchers to build heuristics around detecting and identifying such packages,” he said.
Lim adds that putting more stringent checks on package modifications – such as flagging unusual updates from new contributors – might better security given that most malicious packages are distributed through compromised developer accounts.
Security best practices
Baldwin recommends that maintainers use strong passwords and two-factor authentication to protect their accounts.
To developers using npm packages, he suggests using the package-lock.json file, a feature added to npm since v5, to pin dependencies on trusted versions of packages and avoid automatic updates that can potentially install malicious code in their applications.
“Review dependencies before you install them, and when you update them,” Baldwin said.
“I know this is a big undertaking and it takes time, but taking a couple minutes to review changes could make all the difference.”
Lim added: “Vet any third-party packages and don’t blindly install them, especially if they use run-scripts.
“The npm package repository is wonderfully convenient, but at the end of the day only you can be responsible for your project’s security.”
YOU MIGHT ALSO LIKE Open source tool searches for secrets in GitHub