Table of Contents
November 21, 2023
|4m
What Is Package Planting Vulnerability In NPM? How Does NPM Fix It?
The security research team from Aqua, a well-known security firm, has disclosed a logical flaw in NPM, a default package manager for the Node.js JavaScript runtime environment. The flaw allows adversaries to masquerade a malicious package as legitimate and managed to trick developers to download and install the package as npm skipped the author validation process and allowed adding anyone as the package maintainer without notifying users or getting their consent. Researchers have named this logical flaw “Package Planting”. Since this flaw allows any user to add as maintainers without their consent, it could create serious concerns in the DevOps landscape. Since this Package Planting vulnerability could harm potential users, it’s essential to fix it as soon as possible. Let’s see what exactly the Package Planting Vulnerability is? What complication it creates for maintainers and developers, and how NPM fixed it, and finally what you should do as maintainers and developers, in this post.
What Is Package Planting Vulnerability In NPM?
Npm allowed users to add others as package maintainers without getting their approval. A cybercriminal can utilize this as an opportunity and create a malicious npm package and add a few users as maintainers. If the adversaries added well-known names to their packages, no buddy can ignore or deny such packages by looking at the maintainers. This created room for attackers to cheat or impersonate or launder the package. The process of this cheating is termed “Package Planting ” and since it is considered a logical vulnerability, it could be coined as Package Planting Vulnerability.
In simple words, an attacker can create a malicious package and add popular and trusted maintainers. For example, the package ‘lodash’ is highly credible and popular. If we add its owners to a new, malicious package, many developers may get tricked into thinking that this package is authorized and even appealing.
How Does Package Planting Vulnerability Affects NPM?
Using package planting, an attacker can upload a malicious package and impersonate it to look legitimate and captivating. Before we see about its adverse effects, let’s see how attackers abuse the Package Planting Vulnerability in three simple steps.
Attackers will create and publish a malicious npm package.
Then he will Add well known users to his malicious package as owners or maintainers.
Remove his name from the package.
How Does It Affect Package Maintainers And Package Consumers?
Since attackers add maintainers to malicious packages, maintainers would have to face the embarrassment of even banning them from the platform.
When it comes to developers or package consumers, developers will fail in identifying the legitimate package. When they fail in determining the proof of origin, they may end up downloading or installing the wrong package.
How Does NPM Fix The Package Planting Vulnerability In NPM?
Npm instantly fixed the vulnerability after Aquasec reported it by adding a confirmation mechanism for all package maintainers. At the time of writing this post, the issue has been resolved, and adding a new maintainer to the package without their confirmation from the users is no longer possible. When you invite new maintainers, an email with an invitation link is sent to their email addresses of the invited maintainers. Maintainers should accept the invitation to hold the stake.
Conclusion
The vulnerability discussed here was fixed by npm, and there is no way to replicate it at the moment. Over the past few years, open-source projects have significantly improved their security. However, criminals become more sophisticated and come up with new ways to exploit them. Eventually, developers are responsible for the flaws in the open-source packages they use while creating applications. It’s important to leverage reliable sources for third-party components to mitigate risks.
Moreover, they can detect software supply chain threats such as package planting to secure your environment with solutions. NPM users should check that all packages listed under their name truly belong to them. It’s to ensure that they were not added to any projects without their consent.
We hope this post would help you learn What is Package Planting Vulnerability in NPM? How does NPM Fix it? Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
How To Protect Your Company From This npm Supply Chain Attack
How To Protect Your Azure Development Environment From These Malicious npm Packages?
How to Protect Your Private NPM Packages Being Exposed Using NPM API Timing Attack
8 Malicious Python Libraries Found On PyPI – Remove Them As Soon As Possible
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
