Crap Detection for Node Package Manager

Open-source software allows the source code to be freely available to the public, allowing anyone to inspect, modify, use, or distribute the code. It is typically developed and maintained by a community of volunteer developers who collaborate and contribute to the project. According to the Linux Foundation, open-source code is used in 70-90% of every software found today (A Summary of Census II: Open Source Software Application Libraries the World Depends on – Linux Foundation, n.d.). Most of this code is a result of open-source development frameworks.

Open-source development frameworks are libraries of code and tools that provide a foundation for building software applications efficiently by supplying reusable components. Using open-source development frameworks can help streamline the software development process and reduce the time and effort required to build applications from scratch. Frameworks can be used for creating a wide range of software, including web, mobile, and desktop applications.

Development frameworks typically rely on package managers.  A package manager is a tool that helps manage the libraries, dependencies, and other components needed for a project. Using a package manager, developers can automate installing, updating, and tracking libraries needed for their projects. Many package managers employ a team of reviewers who review every request to push new updates to the repository. However, some frameworks may include public repositories in which anyone can upload their packages for the community. The Node Package Manager (NPM), which runs on the JavaScript open-source framework NodeJS, is one of the most popular public repositories and thus makes it a target for harmful activity. 

Types of Malicious Code

Several types of malicious code can exist on NPM, including:

  1. The most obvious is that some packages themselves may contain malicious code, such as backdoors, trojans, or malware, that can harm the software or compromise the security of the system it is installed on. In other cases, malicious packages may simply lie about what the package does, instead running damaging commands such as modifying system files, altering settings, or collecting and transmitting sensitive data without the user’s consent. For example, a data-stealing package was uncovered in late 2022 after going undetected for over a year (NPM Malware Attack Goes Unnoticed for a Year | TechTarget, n.d.). There has also been an increase in crypto mining malware on NPM in 2022. These malware packages contain code that mines cryptocurrencies on the computer of the person who installs the package, using their system resources without the user’s knowledge.
  2. Supply Chain Attacks. Packages on NPM may have dependencies on other packages that contain vulnerabilities, which can put the developed software at risk if the vulnerabilities are not detected somewhere in the chain. (Ellison et al., 2010)
  3. Malicious code could be hidden in packages that have suspiciously similar names to popular and frequently used packages. These are known as typo-squatting and combo-squatting attacks (Vu et al., 2020). For example, in 2017, a popular package called ‘cross-env’ was typo-squatted and malicious code hosted on a package called ‘crossenv’ preyed on developers who accidentally misspelled the package name. (Npm Blog: ‘Crossenv’ Malware on the Npm Registry, n.d.)
  4. Stealing credentials of legitimate NPM accounts and pushing malicious code onto its repository (Vu et al., 2020)

Information Literacy on NPM

The term crap detection is used describe a process of deciding whether something found online is true. To help analyze packages for possible malicious code, several studies have been done on lightweight NPM vulnerability auto-detection tools. They are very effective. In most cases, with over 90% success rate (Sejfia et al., 2022) and able to identify exact types of vulnerability (according to OWASP) with a high degree of accuracy (Brito et al., 2023). They are, however, not perfect, and we, as developers, must do our part to avoid falling into the pit of malicious intent. Here is a summary of recommendations from the studies. I am basing this on the C.R.A.A.P. and S.I.F.T. tests for information literacy, I will call this the F.I.S.T. test for NPM literacy:

  • Package Frequency of download and package updates: The NPM website contains the weekly downloads of every package on the repository. The Frequency of maintenance of a package also gives information about the safety of use, check the last publish date to see how active this project is. Projects that are not actively maintained or have low weekly downloads are a cause for concern.
  • Inspect the code: Before installing a package, review it to ensure it doesn’t contain any malicious code. Go to the package’s Github account and quickly scan the code for malicious behaviour. Look for things like email dependencies, non-consensual sending of HTTP requests, etc. This may be difficult for beginners of a framework.
  • Use Secure sources: Only install packages from trusted sources like NPM or verified package managers like yarn. From the NPM website, verify information about the package’s publisher, such as the publisher’s website and social media accounts. If they have very little information online, it may suggest they are trying to hide something.
  • Use auditing Tools: Use security tools like npm audit, which scans installed packages for known vulnerabilities, to help you identify and mitigate potential security risks. npm audit will look at existing packages in your system, but since you can only run this command after the package has been installed, it may already be too late. Alternatively, there are also many NPM rating tools. Spectralops.io lists the Top 5 NPM audit tools in 2022. Among them are Synk and SpectralOps. Both tools provide reviews and ratings of every NPM package. Search the packages you intend to use to check its rating and to ensure they are not on the known vulnerabilities list. A package with low ratings or negative reviews may indicate potential security issues.

NPM Improvements

Other solutions are suggested to improve the existing architecture and workflow of the package managers themselves. This includes:

  • Updating NPM policy to allow automatic updating to the latest version of a package to mitigate technical lag (the time it takes a developer to recognize a malicious package and update it)
  • securing critical accounts on NPM,
  • providing trust scores for developers, and
  • eviction of typo- and combo-squatters.

(Kaplan et el. 2021)

Conclusion

The Node Package Manager (NPM) is a powerful tool that helps software developers manage and share the packages they use in their projects. It provides an array of community packages which can be added to the software while enabling developers to write and share code with the community. However, with its growing popularity and widespread use, knowing how to perform crap detection on NPM effectively is a valuable asset for any modern developer looking to improve their information literacy skills.

References

A Summary of Census II: Open Source Software Application Libraries the World Depends On – Linux Foundation. (n.d.). Www.linuxfoundation.org. Retrieved February 5, 2023, from https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on#:~:text=Introduction

NPM Blog: ‘crossenv’ malware on the npm registry. (n.d.). Blog.npmjs.org. Retrieved February 4, 2023, from https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry.html

Vu, D.L., Pashchenko, I., Massacci, F., Plate, H., Sabetta, A. (2020). Typosquatting and combosquatting attacks on the python ecosystem. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 509–514.  

Ellison, R. J., Goodenough, J. B., Weinstock, C. B., & Woody, C. (2010). Evaluating and mitigating software supply chain security risks. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.

Kaplan, B., & Qian, J. (2021). A survey on common threats in npm and pypi registries. Deployable Machine Learning for Security Defense: Second International Workshop, MLHat 2021, Virtual Event, August 15, 2021, Proceedings 2 (pp. 132-156). Springer International Publishing.

NPM malware attack goes unnoticed for a year | TechTarget. (n.d.). Security. Retrieved February 4, 2023, from https://www.techtarget.com/searchsecurity/news/252525968/NPM-malware-attack-goes-unnoticed-for-a-year#:~:text=The%20researchers%20said%20that%20by

Brito, T., Ferreira, M., Monteiro, M., Lopes, P., Barros, M., Santos, J. F., & Santos, N. (2023). Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. ArXiv. https://arxiv.org/abs/2301.05097

Sejfia, A., & Schäfer, M. (2022). Practical Automated Detection of Malicious npm Packages. ArXiv. https://doi.org/10.1145/3510003.3510104

Leave a Reply

Your email address will not be published. Required fields are marked *