Wednesday06 July 2022

More Flaws Found in NPM Allowing Attackers to Attach Malicious Packages to Known Good Devs.

Reading time is around minutes.

A new flaw has been identified in the Node.js package manager, NPM. The flaw is being described as a logical flaw, but in reading over the data it seems more like a permissions flaw. The good news is that as of April 26, the flaw has been addressed by NPM, the bad is that it was in play until then. According to the researchers that discovered it, the flaw related to the way you can attach other accounts to an uploaded package.

An attacker was able to upload a malicious package and due to a lack of controls inside NPM, they were able to assign anyone on the platform as the maintainer of that package. The person now associated with the package receives no notification about it which made the flaw even worse. It is possible that there are malicious packages available on NPM that are attached to known good developers which an unsuspecting person could download and use.

This newly disclosed (and patched flaw) comes on the heels of one related to MFA which could allow an attacker to compromise a valid account, as well as other bugs that have allowed attackers to poison the repository. When you combine these flaws with some of the self-sabotage that we have seen related to legitimate developers it is going to have an impact on the trust that open source has built up.

We have a feeling that the recently identified issues with NPM are going to push development teams to move away from the use of repos like NPM. The idea that the once trusted source for dependencies for larger software project is no longer safe will make its use inadvisable. After all, at the end of the day the developers/publishers of any software package are going to be the ones that take the hit if there is an incident regardless of the reason for the incident. If the component is central to the functionality of the application, think Log4J, it can also mean significant costs in re-engineering their application to remove or correct the identified flaw.

It will be interesting to see how developers respond to the latest news about NPM especially when taken along side the increased interest in code repositories by the attacker community. Will we see these once popular sites dry up and fall into disuse, or will we see a push for better and more complete security controls? Only time will tell.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.