DEV Community

Cover image for Npm packages hacking
Dhanush N
Dhanush N

Posted on


Npm packages hacking

The ecosystem of npm javascript libraries is a huge ocean. The dependency over many other packages is one of a major aspect. On an average it seems that a package may have dependency over 60 third party packages and also form 40 different maintainers. This varies from minimum to maximum

If there are 100 maintainers for a npm package and the attacker tries to compromise any one then the community would affect a serious security incident.

Hacking is not only about hacking into accounts, it is also an alternative way in finding security issues in existing npm packages.

Would like to cite an incident which happened on October 2021

A popular npm package ua-parser-js was hacked.
According to the official information on the site the library is used by companies such as Facebook, Apple, Slack, IBM, Oracle, Mozilla, Reddit etc.The versions which were compromised on the attack was 0.7.29, 0.80, 1.0.0,

"I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.80, 1.0.0) which will probably install malware" said Faisal Salman, author of UAParser.js library

On investigating on the compromised code revealed extra scripts in both linux & windows platforms if installed and would execute binaries. Since this library has almost 8 milliion downloads & big corporations relied on the library the US CISA informed developers to update to safer versions

It was also said that any computer that has this package installed or running means that the system is fully hacked and keys and secrets to be changed immediately. It was also mentioned that even if the package is removed there is no guarantee that the package will remove all malicious software.

Some other packages that was also hacked during that month were

The number of malicious packages uploaded on the npm repository has been rising. The packages compromised occurred before as well

  • In July 12th 2018, malicious packages were published from a well known popular library Eslint

  • In May 2018 a malicious package called getcookies was containing malicious modules in a way that would have allowed the backdoor to be triggered

  • In August 2017 the npm team removed 38 Javascript npm packages that were caught stealing sensitive information such as passwords, secrets and api keys

  • In June 2017 the npm security team forced password resets for large number of accounts for using weak passwords

  • In March 2017 information was defined that most popular websites were using outdated javascript libraries that are subject to known and old vulnerabilities.

Many type of attacks are followed but one of the common attack followed is typo-squatted on famous project names.

Example If there is a package named "parseragent" then the attacker registers another package named "parsersagent" that contains the source of the "parseragent" project with some additional malicious code. This once installed or ran would start running malicious code on the system and compromise the data being stored on the system.
Even after uninstallation of the package also seems the malware to be present in the system.

So what is the best way to handle these mess

  • The npm ecosystem should provide a better way in auditing popular npm packages to make sure the code is safe and comes from trusted source.
  • The auto updating of npm packages should be avoided and manual update after verifying the package to be followed. >> Once hijacked always be prepared in modifying the secrets in the system and also clearing the system if necessary

Hacking is a tremendous impact and we can only delay or prevent few hijacking possibility we know. Security is a major concern and needs to be addressed as per the technology advancement

Thanks for reading !!!

Buy Me A Coffee

For more insights consider lets stay connected via Twitter

Top comments (0)

11 Tips That Make You a Better Typescript Programmer


1 Think in {Set}

Type is an everyday concept to programmers, but it’s surprisingly difficult to define it succinctly. I find it helpful to use Set as a conceptual model instead.

#2 Understand declared type and narrowed type

One extremely powerful typescript feature is automatic type narrowing based on control flow. This means a variable has two types associated with it at any specific point of code location: a declaration type and a narrowed type.

#3 Use discriminated union instead of optional fields


Read the whole post now!