1,300 malicious packages found in popular npm JavaScript package manager


Malicious actors use the npm registry as a starting point for open source software (OSS) supply chain attacks.

Open source software offers enormous potential for criminals and nation states to launch widespread supply chain attacks. The OSS registers provide an important easily accessible power ground.

Npm, Inc., a subsidiary of Microsoft-owned GitHub, is the largest OSS registry providing JavaScript packages. It contains more than 1.8 million active packages – but has become, according to open-source security management company WhiteSource, a playground for “malicious actors”. Over the past six months, malware detection platform WhiteSource Diffend has reported over 1,300 malicious packages to npm for stealing credentials, stealing crypto, and running botnets.

Diffend was acquired by WhiteSource in April 2021. Its creator, Maciej Mensfeld joined WhiteSource as Senior Product Manager.

In its NPM Threat Report (PDF), WhiteSource explains that through 2021, it tracked over 32,000 packages uploaded to npm each month. There’s even more activity in new package releases, averaging over 17,000 daily posts throughout 2021.

“Unfortunately,” comments Rami Sass, co-founder and CEO of WhiteSource, “this popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals.”

The scale of the problem for the industry and the opportunities for malicious actors are immense. It is expected that there will be over 2 billion websites by the end of 2022, and almost 98% will use JavaScript. Many developers will turn to npm to provide out-of-the-box JavaScript solutions. The problem is that downloaded npm packages don’t need to be run or used – if a malicious npm is downloaded, it’s automatically allowed to do whatever it wants.

These permissions apply to both packages with unintended vulnerabilities and packages containing malicious code inserted by attackers.

WhiteSource Diffend currently detects around 10 malicious packets every day. Most of them are engaged in reconnaissance, actively or passively gathering information that can support future targeting. Fourteen percent, however, are designed to steal sensitive data such as credentials.

“As far as I know,” Mensfeld said safety week, “at least until the end of 2021, there were no automatic tools on npm that would prevent anyone from downloading anything to the registry. So if you wanted to download a package that would remove, when downloading, all the data on the user’s computer, you could easily do it.There are no pre-checks on the package.

WhiteSource reports its findings to npm, which removes malicious packages from the registry. However, if a new malicious package is detected and reported on a Friday, it is unlikely to be removed until the following Monday – and during that time it could potentially be downloaded thousands or even millions of times by software managers. automated register. Apparently, WhiteSource reports that Friday is a popular day for uploading new malicious packages to the registry.

A classic example of an OSS supply chain attack was revealed in late October 2021. The attackers inserted malicious code into three versions of ua-parser-js after apparently taking control of the developer’s npm account. “ua-parser-js is used to parse user agent strings to identify a user’s browser, operating system (OS), device, and other attributes,” WhiteSource explains. “Three new versions of this package have been released with the intention of getting users to download them.”

The package’s author responded quickly with new, clean builds, but the malicious code remained in the registry for another three hours. Ua-parser-js was downloaded around 8 million times a week at the time.

“Any computer with this package installed or running should be considered fully compromised,” GitHub warned. “A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or gain control of the system,” CISA advised.

WhiteSource warns that malicious actors are actively looking for the most effective ways to use npm for attacks. Since a malicious package is unlikely to remain in the registry undetected for more than a week, inactive code can be uploaded to a new or dropped package to see if it will be detected and for how long it will take – a concept similar to malware writers testing their new malware releases on VirusTotal.

WhiteSource warns that developers using npm (or any other OSS registry) should not blindly trust the system, should update only when they are sure of the contents, should track changes, should run continuous integration ( CI) in isolated steps, must create a security flow that matches the profile of the organization and must support the entire SDLC.

WhiteSource, headquartered in Boston, USA, was founded in 2011 by Azi Cohen (GM), Rami Sass (CEO) and Ron Rymon (Executive Chairman). It raised $75 million in a Series D funding round in April 2021.

Related: Cyber ​​Insights 2022: Supply Chain

Related: ‘Critical severity’ warning: Malware has been detected in widely deployed npm packages

Related: GitHub confirms another major NPM security flaw

Related: Vulnerability in ‘netmask’ npm package affects 280,000 projects

Kevin Townsend is a senior contributor to SecurityWeek. He wrote about high-tech issues long before Microsoft was born. For the past 15 years, he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from the Times and the Financial Times to current and former IT magazines.

Previous chronicles by Kevin Townsend:


Comments are closed.