What Is Package Planting Vulnerability In NPM?
Npm allowed users to add others as package maintainers without getting their approval. A cybercriminal can utilize this as an opportunity and create a malicious npm package and add a few users as maintainers. If the adversaries added well-known names to their packages, no buddy can ignore or deny such packages by looking at the maintainers. This created room for attackers to cheat or impersonate or launder the package. The process of this cheating is termed “Package Planting ” and since it is considered a logical vulnerability, it could be coined as Package Planting Vulnerability.
In simple words, an attacker can create a malicious package and add popular and trusted maintainers. For example, the package ‘lodash’ is highly credible and popular. If we add its owners to a new, malicious package, many developers may get tricked into thinking that this package is authorized and even appealing.
How Does Package Planting Vulnerability Affects NPM?
Using package planting, an attacker can upload a malicious package and impersonate it to look legitimate and captivating. Before we see about its adverse effects, let’s see how attackers abuse the Package Planting Vulnerability in three simple steps.
- Attackers will create and publish a malicious npm package.
- Then he will Add well known users to his malicious package as owners or maintainers.
- Remove his name from the package.
How Does It Affect Package Maintainers And Package Consumers?
Since attackers add maintainers to malicious packages, maintainers would have to face the embarrassment of even banning them from the platform.
When it comes to developers or package consumers, developers will fail in identifying the legitimate package. When they fail in determining the proof of origin, they may end up downloading or installing the wrong package.
How Does NPM Fix The Package Planting Vulnerability In NPM?
Npm instantly fixed the vulnerability after Aquasec reported it by adding a confirmation mechanism for all package maintainers. At the time of writing this post, the issue has been resolved, and adding a new maintainer to the package without their confirmation from the users is no longer possible. When you invite new maintainers, an email with an invitation link is sent to their email addresses of the invited maintainers. Maintainers should accept the invitation to hold the stake.
The vulnerability discussed here was fixed by npm, and there is no way to replicate it at the moment. Over the past few years, open-source projects have significantly improved their security. However, criminals become more sophisticated and come up with new ways to exploit them. Eventually, developers are responsible for the flaws in the open-source packages they use while creating applications. It’s important to leverage reliable sources for third-party components to mitigate risks.
Moreover, they can detect software supply chain threats such as package planting to secure your environment with solutions. NPM users should check that all packages listed under their name truly belong to them. It’s to ensure that they were not added to any projects without their consent.
We hope this post would help you learn What is Package Planting Vulnerability in NPM? How does NPM Fix it? Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.