Security-wg: Github code != npm reg. code is serious security issue

Created on 27 Nov 2018  路  4Comments  路  Source: nodejs/security-wg

I would like to preface this by saying that I realize that NPM is not NodeJS, but considering the marriage between the two, serious vulnerabilities in NPM do have practical implications for NodeJS users (of which I am one). Now to the issue...

I am concerned about the recent issue of minified code from the NPM registry containing malware that was not present on the Github repository, which was the attack vector used in recent event-stream case. Now that this attack vector is widely known, more opportunists will exploit it and this will impact the security of NodeJS users. In my view, the key issue is the inconsistency between the code being shown on Github and that delivered by the NPM registry. This inconsistency takes away the users ability to audit the code they are using and readily identify the introduction of malware.

This would not be such a problem if the code downloaded from the NPM registry was guaranteed to be consistent with what is on Github (and some kind of warning if it is not). Is this a possible solution? And as the situation stands, how can this attack vector be mitigated?

Most helpful comment

@Trott Thank you for your kind response. The certified modules program appears to be a satisfactory solution to my problem.

On the broader issue, NPM is bundled with NodeJS and is considered to be part of NodeJS by most users. It's an inconvenient reality and I'm sure that many of you have debated this issue before.

Anyway, I am thankful for the good work of the Security WG team!

All 4 comments

Not only the minified code, but there is a need to avoid typosquatting attacks in module names too.
Some time ago, a popular cross-env npm package had an evil twin called crossenv. For the event-stream we have an eventstream that have only 10 weekly downloads.
But what if the eventstream were a working replica/fork of the real event-stream, how many developers would use it because tried to install it and it "worked as expected"?

there is a need to avoid typosquatting attacks

npm has automated typosquatting prevention. eventstream was created 7 years ago, so it pre-dates npm implementing that. Regardless, there's likely not a whole lot Node.js can do to prevent typosquatting on npm. https://npm.community/ is probably a better place to ask/discuss/whatever about typosquatting (although maybe Security WG members disagree with me on that).

I would like to preface this by saying that I realize that NPM is not NodeJS
...
This would not be such a problem if the code downloaded from the NPM registry was guaranteed to be consistent with what is on Github (and some kind of warning if it is not). Is this a possible solution?

There is likely very little or nothing at all that Node.js can reasonably do to guarantee that npm module code matches GitHub source. The place to take that up is almost certainly https://npm.community/ (although again, maybe Security WG member disagree with me on that). That said...

And as the situation stands, how can this attack vector be mitigated?

Use a validated-modules service like NodeSource's Certified Modules program? Don't use the npm registry at all? Manually review code for all packages you use and reject modules that are difficult to review due to minification or other reasons? Become a paying customer of npm's rather than a free tier user and see if you can advocate for this sort of thing as a paying customer? Research Node.js security products offered by companies like Intrinsic?

(Standard-ish disclaimer: I'm omitting many great security products above that might be relevant. Mention above is not endorsement etc. It's just what happens to be on my radar at the moment. I work for the state of California and not for any company at all. It is my wish to see all Node.js companies and products thrive.)

@Trott Thank you for your kind response. The certified modules program appears to be a satisfactory solution to my problem.

On the broader issue, NPM is bundled with NodeJS and is considered to be part of NodeJS by most users. It's an inconvenient reality and I'm sure that many of you have debated this issue before.

Anyway, I am thankful for the good work of the Security WG team!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

MarcinHoppe picture MarcinHoppe  路  7Comments

sam-github picture sam-github  路  7Comments

dougwilson picture dougwilson  路  8Comments

RRomoff picture RRomoff  路  8Comments

vdeturckheim picture vdeturckheim  路  8Comments