The ecosystem of npm javascript libraries is a huge ocean. The dependency over many other packages is one of a major aspect. On an average it seems that a package may have dependency over 60 third party packages and also form 40 different maintainers. This varies from minimum to maximum
If there are 100 maintainers for a npm package and the attacker tries to compromise any one then the community would affect a serious security incident.
Hacking is not only about hacking into accounts, it is also an alternative way in finding security issues in existing npm packages.
Would like to cite an incident which happened on October 2021
A popular npm package ua-parser-js was hacked.
According to the official information on the site the library is used by companies such as Facebook, Apple, Slack, IBM, Oracle, Mozilla, Reddit etc.The versions which were compromised on the attack was 0.7.29, 0.80, 1.0.0,
"I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.80, 1.0.0) which will probably install malware" said Faisal Salman, author of UAParser.js library
On investigating on the compromised code revealed extra scripts in both linux & windows platforms if installed and would execute binaries. Since this library has almost 8 milliion downloads & big corporations relied on the library the US CISA informed developers to update to safer versions
It was also said that any computer that has this package installed or running means that the system is fully hacked and keys and secrets to be changed immediately. It was also mentioned that even if the package is removed there is no guarantee that the package will remove all malicious software.
Some other packages that was also hacked during that month were
The number of malicious packages uploaded on the npm repository has been rising. The packages compromised occurred before as well
In July 12th 2018, malicious packages were published from a well known popular library Eslint
In May 2018 a malicious package called getcookies was containing malicious modules in a way that would have allowed the backdoor to be triggered
In August 2017 the npm team removed 38 Javascript npm packages that were caught stealing sensitive information such as passwords, secrets and api keys
In June 2017 the npm security team forced password resets for large number of accounts for using weak passwords
In March 2017 information was defined that most popular websites were using outdated javascript libraries that are subject to known and old vulnerabilities.
Many type of attacks are followed but one of the common attack followed is typo-squatted on famous project names.
Example If there is a package named "parseragent" then the attacker registers another package named "parsersagent" that contains the source of the "parseragent" project with some additional malicious code. This once installed or ran would start running malicious code on the system and compromise the data being stored on the system.
Even after uninstallation of the package also seems the malware to be present in the system.
So what is the best way to handle these mess
- The npm ecosystem should provide a better way in auditing popular npm packages to make sure the code is safe and comes from trusted source.
- The auto updating of npm packages should be avoided and manual update after verifying the package to be followed. >> Once hijacked always be prepared in modifying the secrets in the system and also clearing the system if necessary
Hacking is a tremendous impact and we can only delay or prevent few hijacking possibility we know. Security is a major concern and needs to be addressed as per the technology advancement
Thanks for reading !!!
For more insights consider lets stay connected via Twitter
Top comments (0)