Infrastructure Penetration TestJan Kahmen8 min read

Node Package Manager Security - Everything about NPM Package Security

Numerous versions you can use for the Node Package Manager update may be contaminated with malicious code, according to repository officials.

Table of content

Node Package Manager - Unknown compromising Tools with Malicious Code

Investing in web security is becoming increasingly important, as recent issues with Node Package Manager have shown. If you recently downloaded the COA or RC packages for your JavaScript runtime, Node.js: Then you probably faced problems. The reason is malicious code that landed directly on your computer from the Node Package Manager repository.

What doesn't sound too critical at first glance, however, needs to be put into perspective: Both packages are downloaded over 20 million times a week - by a wide variety of developers. This greatly increases the risk of spreading, which in turn requires significantly higher NPM security. Incidentally, the reason for the malicious code is believed to be a compromised maintainer account, via which a prepared package could get into the repository. Although this account has been deactivated in the meantime, the problem was unfortunately recognized too late.

The Tampered Versions

Numerous versions that you can use for the Node Package Manager update may be contaminated with malicious code, according to repository officials. This issue affects the GitHub pages of the Configuration Loader (RC) and Command Line Parser (COA). The following versions are said to be affected:

  • COA: 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3
  • RC: 1.2.9, 1.3.9, 2.3.9

If you install any of these versions as part of a Node Package Manager update, your computer is likely to be completely compromised.

Caution is also advised with COA 2.0.2 and RC 1.2.8 versions. While the Trojan is considered removed from both, hidden system settings might still be left behind. A complete reinstallation of your system is the only thing you can do in this case.

Beware, Trojan!

The bad thing about the Trojan from Node Package Manager is that it is a Qakbot Trojan. This malware is known to sniff your log-in details and other sensitive information. To further secure yourself, you should rely on two-factor authentication of your accounts. Once they resort to the F2A method, simply logging in with a correct password is no longer enough.

Rather, you need an additional code that finds its way to you directly via your smartphone, for example. However, this code is not available to the attacker, so you are safer. If you want to invest in web security in general, regular penetration testing according to a security testing guide also makes sense. This way, you secure yourself and your company from unwelcome security vulnerabilities in the long run.

What is a Node Package Manager (NPM)?

The Node Package Manager is a repository on the one hand, and a command-line interface (CLI) on the other. Thus, the Node Package Manager has different goals.

CLI tool: The command-line interface allows you to download packages and install them within your applications.

Repository: The repository allows you to publish and distribute reusable code. By now, this repository contains more than 800,000 packages available to developers.

Both of these tools are available for free. So, you can download them anytime and integrate the packages from Node Package Manager directly into your own projects. This approach saves you a lot of time and effort, since you can reuse existing functions instead of coding everything from scratch. In other words, the Node Package Manager saves you both time and effort.

Additionally, the CLI tool allows you to manage the dependencies within your application. These dependencies are automatically resolved by the Node Package Manager as soon as you distribute the project to your users.

These are exactly the features that make Node Package Manager a helpful tool in your everyday life. However, this high level of automation requires a high level of security awareness. A good foundation for this is the CIS Benchmark, which is the Center for Internet Security. Regular penetration testing according to best practices can ensure the security of your IT infrastructure on a permanent basis.

The Node Package Manager and Security Threats

NPM packages are user-friendly, open source and widely used. Their disadvantage is: they level the path to your computer for security threats. Especially NPM packages stored via the registry currently have the biggest security problems in Node Package Manager. In itself, the barrier to entry of a release in the Node Package Manager is very low, which allows a wide variety of content.

Therefore, despite prior review by the security team, it is possible for unwanted content to enter the repository. The reason for this is not least that cybercriminals are finding ever better methods of circumventing the common defenses of such security checks.

However, the challenge in Node Package Manager is not new: Already in 2018, cybercriminals managed to compromise one of the most popular packages. Back then, they used the malicious code to steal money from a crypto wallet. This code ended up on over 8 million devices before the malware was discovered and removed.

The same principle is being used in today's problems. Once a malicious actor has obtained publishing rights, it can inject dependencies directly into the library. As a result, he will harm your computer as soon as you download the particular package from the NPM.

How Developers Protect the Node Package Manager

To stay on the safe side as a developer, you should protect their accounts with strong passwords. Two-factor authentication is also a security measure that will benefit you in the long run. This applies to the Node Package Manager as well as many other applications.

Best Practices in NPM Security

One of the best practices in Node Package Manager is to always check the changes at hand. By the way, this additional control is not only important with Node Package Manager, but also with other software changes. It is true that in many cases you have to trust the third-party providers. Blind trust, on the other hand, is not appropriate in the case of a run script.

Also important: Since version 5, you have the option to use the package-lock.json file to fix dependencies and avoid automatic updates. You should take advantage of this opportunity, as it protects you from potentially malicious code.

Conclusion - Exercise Caution and keep an Eye on Developer Info

Should you rely on Node Package Manager to develop your Node.js applications, you need to be cautious currently. Refrain from downloading the affected versions and wait for more information from the developers. Additionally, it is important to learn about the practices of the CIS benchmark and secure your own systems. In this way, you will benefit equally from the CLI tool, but also from a secure environment.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: