Harming NPM Packages for illicit Activity
Researchers at Aqua’s Team Nautilus published a security advisory on the issue of hijacking developers of Open-source software, which allowed threat actors to masquerade a malicious NPM package as legitimate and trick unsuspecting developers into installing it.
A prime example is GitHub’s NPM platform allowed any developer to be added to a project as a maintainer without their permission a potential blind spot that threat actors could readily weaponize.
If an attacker picks the trusted and popular maintainers, then adds them without their approval to a malicious package, this could make a package appear legitimate and encourage users to download it, said the researchers which are dubbed “package planting” and used it for illicit activities
Developers whose reputations are exploited in this way would not be made aware that they were added as package maintainers due to a logic flaw in NPM’s invitation mechanism.
The logic issue was reported to GitHub’s bug bounty platform via HackerOne on February 10, and a fix was deployed on April 26 in the form of a new confirmation mechanism. Adding a new maintainer to an NPM project without their approval is no longer possible.
Google announced its support for the Open-Source Security Foundation’s (OpenSSF) Package Analysis project, a prototype scheme for clamping down on the propagation of malicious NPM packages which in turn connects the dots with the above issue.
The Package Analysis program is being developed to dynamically scan uploaded NPM packages for malicious signatures and to “identify when previously safe software begins acting suspiciously”.
Google is a member of OpenSSF. The tech giant conducted a study of 200 malicious NPM packages uploaded over the course of a month and found that most attacks are based on typosquatting and dependency confusion techniques.