There has been a sharp rise in malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide, with more than 1,300 malicious npm packages discovered for use in supply chain attacks, cryptojacking, data theft and more.
A recent report by WhiteSource, a provider of open source security and management solutions, showed that the most popular types of malicious packages were those performing reconnaissance, which consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.
Even as developers increasingly depend on JavaScript to create rich online functionality, the JavaScript ecosystem is under constant attack from malicious actors.
A popular attack method is through JavaScript packages installed using various node package managers, or npms, which are tools that automatically handle the dependencies of a project.
Because the npm ecosystem is open in nature, it allows anyone to submit packages—including bad actors who bundle backdoors or other malicious code in npms.
The report pointed out that the massive number of npm packages and the rate at which new ones are released makes the ecosystem difficult to monitor and creates a lucrative playground for attackers.
A Seemingly Unlimited Feed
Susan St. Clair, director of product management at WhiteSource, said the most concerning finding was that there’s a seemingly unlimited “feed” of malicious packages being published through npm. Another worrying fact uncovered by the report was that almost 14% of all the packages detected were designed to steal sensitive information like credentials and other data present in environment variables.
“Each one is like a landmine waiting for unsuspecting users to step on it; by that I mean implementing the packages in their code,” she said.
St. Clair said organizations should adopt lock files for all projects and implement processes to ensure they aren’t installing releases that are very new (in other words, releases that are days or even hours old).
“By locking in place current dependencies. and also decreasing the frequency at which such dependencies are ‘unlocked’ for updating, it greatly reduces the chance of falling victim during the window of time between a malicious package being released and when it’s eventually discovered and removed from the registry,” she said.
In addition to those security posture recommendations, she added that there are software solutions that help protect open source users against these sorts of software supply chain attacks.
These solutions scan new open source releases and perform dozens of tests to assess the likelihood that the package/release is malicious. They integrate with package managers to block downloads and installations of the packages before they have any chance to exploit systems.
“Use software that can analyze package releases to find vulnerabilities and quality problems before they’re used,” she said. “These solutions are designed for exception-based alerting that doesn’t interfere with developers’ work.”
Best Practices for npm Security
St. Clair said other security best practices included updating only when your security team is confident about the content, always tracking changes, being aware of the environment and running continuous integration (CI) in isolated stages.
“It’s also important to create a security flow that matches your organization profile and take care of the entire software development life cycle,” she added.
Malicious packages on npm can also impact the software supply chain, with adversaries shifting their attacks upstream by infecting existing components that are then distributed downstream and installed potentially millions of times.
The report also found Friday, Saturday and Sunday were the most popular days for attackers to release malicious software.
“This has only just begun,” St. Clair warned. “Generally speaking, these attacks will get more sophisticated with more of them targeting sensitive data as opposed to just listening or conducting reconnaissance.”
She added that some time ago, the primary attack vector attackers used was phishing emails which then led to web browsing, which is still a mainstay.
“Fast-forward to today: Threat actors are constantly finding new avenues to infiltrate a company’s system, with attacks against the application layer becoming many enterprises’ most feared attack vector,” she said.
