How to respond to growing supply chain security risks?

Each month since October 2021 we have a new security incident in the npm supply chain.

• October 2021 (ua-parser-js)
• November 2021 (coa, rc)
• December 2021 (qr.js, discord-lofy + discord-selfbot-v14)
• January 2022 (colors + faker.js)
• February 2022 (25 malicious packages)
• March 2022 (azure-sdk-v4 + azureazure)
• March bonus: Protestware
• March bonus: The Factory

My point is: that we all have to review and adapt how we work with dependencies taking into account supply chain security risks.

At this point, it's unsafe to ignore supply chain risks and there is nowhere to hide from them in the future.

I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors:

1. Malicious code injection: During the development process an attacker could replace URLs in a lock file or add malicious code (it is dangerous because it may be hard to catch in PR review).
2. Malicious package release: An attacker may publish malicious packages and hence trick other users into installing or depending on such packages.
3. Social Engineering: An attacker may manipulate a maintainer to hand over sensitive information.
4. Account Takeover: An attacker may compromise the credentials of a maintainer to inject malicious code under the maintainer’s name.
5. Ownership transfer: An attacker can show enthusiasm to maintain popular abandoned packages and transfer the ownership of a package.
6. Remote execution: An attacker may target a package by compromising the third-party services used by that package.

There are a lot of papers about detecting and mitigating those risks.

One specific paper (What are Weak Links in the npm Supply Chain) inspired me to create sdc-check.

As a big believer in the power of people collaboration, I am sure that the open-source community is our key to mitigating those supply chain risks and threats.

And it is happening right now. Github is opening the GitHub Advisory Database to community submissions. Awesome community NodeSecure builds cool things like scanner and js-x-ray. There are also lockfile-lint, LavaMoat, Jfrog-npm-tools (and I am sure there is more).

As an open-source maintainer, you could take action:

• make sure you are following security best practices

As an open-source consumer, you have to think about:

• what "extra" you could get with the next dependencies upgrade

Also, try to add additional safety step using a tool like sdc-check / lockfile-lint / scanner / etc.

thank you for attention 🙌