Go to listing page

The Butterfly Effect: How Compromise Of Few NPM Package Maintainers Can Lead To Security Chaos?

The Butterfly Effect: How Compromise Of Few NPM Package Maintainers Can Lead To Security Chaos?
  • The lack of maintenance causes many packages to depend on vulnerable code and the study revealed that up to 40% of all packages depend on code with at least one publicly known vulnerability.
  • Highly popular packages directly or indirectly influence many other packages (often more than 100,000), thereby increasing the risk of malware injection attacks.

What’s the problem?

A new study conducted by the Department of Computer Science from the Technical University of Darmstadt finds that a small number of compromised maintainer accounts could lead to malware injection into a majority of npm packages.

A brief overview

JavaScript is one of the most widely used programming languages. To support JavaScript developers with thirdparty code, the node package manager (npm) provides over 800,000 free and reusable code packages. However, this causes security risks.

  • In order to determine the security risks for users of npm, researchers analyzed the package dependencies, maintainers of packages, and the publicly reported security issues.
  • Overall, the researchers analyzed 5,386,239 versions of packages, 199,327 maintainers, and 609 publicly known security issues.

The npm ecosystem consists of an online database for searching packages suitable for given tasks and a package manager, which resolves and automatically installs dependencies.

Key findings

The study revealed that individual packages could impact large parts of the entire npm ecosystem.

  • A small number of compromised maintainer accounts could lead to injecting malicious code into the majority of all npm packages.
  • The lack of maintenance causes many packages to depend on vulnerable code and the study revealed that up to 40% of all packages depend on code with at least one publicly known vulnerability.
  • Installing an average npm package creates an indirect trust on almost 79 third-party packages and 39 maintainers, leading to a large attack surface.
  • Highly popular packages directly or indirectly influence many other packages (often more than 100,000), thereby increasing the risk of malware injection attacks.

“We show that about 140 of such maintainers (out of a total of more than 150,000) could halve the risk imposed by compromised maintainers,” researchers noted.

Mitigations

The potential mitigations in defending the security risks in the npm ecosystem include,

  • Creating awareness among the developers who use third-party packages about the risks involved in the npm ecosystem.
  • Warning developers about unpatched vulnerabilities in their dependencies.
  • Vetting the code of new releases of certain packages.
  • Training and vetting highly influential maintainers.

“These findings show that recent security incidents in the npm ecosystem are likely to be the first signs of a larger problem, and not only unfortunate individual cases. To mitigate the risks imposed by the current situation, we analyze the potential effectiveness of several mitigation strategies. We find that trusted maintainers and a code vetting process for selected packages could significantly reduce current risks,” researchers concluded.

Cyware Publisher

Publisher

Cyware