 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
According to WhiteSource, a leading open source security provider, npm, one of the most widely used JavaScript package managers, is a playground for malicious actors. Is it really that bad?
First, JavaScript is wildly popular. Love it or hate it, Javascript by Stack Overflow’s count remains today’s most commonly used programming language. With more than 16 million developers worldwide relying on its speed, strong documentation, and interoperability with other programming languages that won’t be changing soon.
But its popularity is a mixed blessing. Hackers are increasingly targeting JavaScript’s open source package managers and package registries. The most widely used of which is npm, with more than 1.8 million active packages.
Using WhiteSource Diffend, the company’s flagship automated malware detection platform. The company claims it found more than 1,300 malicious npm packages in 2021 in npm. That’s bad, but 1,300 out of 1.8-million is only 0.007222%. If you were to just randomly grab JavaScript packages for your program, odds are you’ll be safe.
According to the report, WhiteSource tracked an average of 32 thousand new npm packages published every month during 2021. Even out of that yearly total of 384 thousand packages, your chance of grabbing the wrong code only goes up to 0.00338%.
Of course, no one programs it that way. But this does underline that you need to look very carefully at any npm code before pulling it into your project. For example, you’ll want to avoid new code or code that others have avoided.
On the other hand, do you want to take even a minute chance when the kind of attacks hiding in npm included:
I don’t think you do.
True, most npm malware is just there to check out your site. But who wants a reconnaissance program cruising through your systems? I sure don’t!
In addition, by npm’s official count, an astronomical 20 billion package versions are downloaded every week. Clearly, few people are doing their due diligence when it comes to using npm packages.
By its very nature, npm is difficult to police. Npm enables you to use external libraries and supports dependency management. Combined this makes it all too easy to call third-party libraries and dependencies for your project. In addition, while in theory npm packages include everything needed for their functionality all too often, many packages download additional resources upon installation. Sure, you checked the specific program for security problems but what about all its dependencies and its downloads?
Can you say “dependency hell?” I can.
Npm is a sterling example of why we need software supply chain security. And we need it now.
So it’s no surprise that “with more than 18,000 npm package versions published in 2021, there’s no question that npm is a valuable tool for developers,” explained Rami Sass, WhiteSource’s co-founder and CEO. But, “Unfortunately, that popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals.”
For example, let’s say you downloaded what you thought was the well-regarded npm packages style-resources-loader and sass-loader. But, unlucky you, instead, you download the two brandjacking packages faking them. Besides having names that looked right at a casual glance they also included their good source code. But, hiding away in there was an obfuscated JavaScript file and a pair of binary files hidden as JavaScript components that were up to no good.
Specifically, one of the fake JavaScript files was part of the Cobalt Strike, an adversary simulation framework. The final goal? To put your machine to work mining Monero cryptocurrency. That’s no one’s idea of a good time.
So, what can you do? Well, of course, WhiteSource would like you to download and eventually buy Diffend. Their tool checks to make sure you’re only using verified package sources and that you avoid most npm security traps. Using Diffend is actually a good idea.
In addition, WhiteSource has numerous other suggestions on how to defend yourself against common npm security holes. These include:
Finally, always remember that the most damage to date from npm has not come from conventional malware at all. Instead, it’s come from developers screwing around with their npm libraries, Examples include the recent “colors.js” and “faker.js” mess and 2016’s infamous, “left-pad npm” episode.
In short, while I can’t call npm a “playground for malicious actors,” I can call it ripe for malware and unable to defend itself well from its inherent security problems. If you use npm, and I know many of you do, you must take steps to protect yourself.
