NPM (or Node Package Manager) is billed as “the largest software registry in the world,” storing more than 1.3 million software packages. First released in 2010, npm was initially intended for distributing projects written in Node.js, a JavaScript run-time environment for server-side and networking applications. However, npm has now expanded to any project written in the JavaScript programming language.
Npm helps software developers manage the multiple libraries, frameworks, and tools needed for a software project.
Now the NPM malware part
Despite the advantages of npm for sharing and reusing software code, it comes with potential risks and downsides, including npm malware. The npm registry has recently suffered from software supply chain attacks that can introduce malware into a software project.
Malware can enter the npm supply chain through several techniques. One standard method is “typosquatting,” in which attackers create malicious software packages with names similar to a legitimate package. Users are then fooled into downloading the malicious package instead of the real one. Another more sophisticated tactic is introducing malicious code into a legitimate software project, subtly creating vulnerabilities and backdoors.
NPM security incidents
According to Mend (formerly WhiteSource), attackers released at least 1,300 malicious packages on the npm registry in 2021. The study found that while 14% of npm malware is actively intended to steal credentials, 82% of npm malware is designed for passive reconnaissance on its targets.
What’s more, npm malware attacks show no sign of slowing down. In October 2022, security researchers discovered an extensive supply chain attack using npm malware, with nearly 200 malicious packages. The operation, which had gone unnoticed for more than a year, sought to steal users’ account information and credit card data.
NPM audit to the rescue
In the face of npm malware attacks, ensuring the security of software supply chain using npm audit is a big step in the right direction.
NPM audit is a command that retrieves a report of the known vulnerabilities in an npm package, including any vulnerabilities in third-party dependencies. The npm audit command requires one of two arguments that affect its behavior:
-
The npm audit signatures command verifies the registry signatures of the packages you have downloaded.
-
The npm audit fix command attempts to automatically fix any vulnerabilities detected in the project and its dependencies. If these vulnerabilities cannot be fixed automatically, developers need to review and fix them manually.
Npm audits may upgrade or downgrade the versions of different packages or dependencies in the project as necessary to fix any issues. npm audits are run automatically each time you install a new npm package from the registry and can also be run manually on any locally installed packages.
By running the npm audit command at regular intervals, you can ensure your packages are free of vulnerabilities.
(Image courtesy: NPM)