All products
NPM Repository Under Attack: Over 100 Malicious Packages Discovered
Attackers have been exploiting a significant weakness in the NPM code repository, allowing them to upload over 100 credential-stealing packages since August, with most going undetected. This vulnerability has been leveraged to flood NPM with malicious packages, which have been downloaded more than 86,000 times. According to security firm Koi, the campaign, tracked as PhantomRaven, has taken advantage of NPM’s use of “Remote Dynamic Dependencies” to spread these malicious packages.
A Major Blind Spot in NPM Security
PhantomRaven has exposed a significant blind spot in traditional security tooling, as noted by Koi’s Oren Yomtov. “Remote Dynamic Dependencies aren’t visible to static analysis,” Yomtov explained. This lack of visibility has allowed attackers to upload malicious packages that appear to have “0 Dependencies,” making them nearly invisible to developers and security scanners.
Understanding Remote Dynamic Dependencies
Remote Dynamic Dependencies provide greater flexibility in accessing dependencies, which are code libraries required for many packages to function. Normally, dependencies are visible to the developer installing the package and are downloaded from NPM’s trusted infrastructure. However, Remote Dynamic Dependencies work differently, allowing packages to download dependencies from untrusted websites, even those that connect over unencrypted HTTP.
The PhantomRaven attackers have exploited this leniency by including code in the malicious packages that downloads dependencies from URLs, such as http://packages.storeartifact.com/npm/unused-imports. These dependencies are “invisible” to developers and many security scanners, and an NPM feature causes them to be automatically installed. Compounding the weakness, the dependencies are downloaded “fresh” from the attacker server each time a package is installed, rather than being cached, versioned, or otherwise static.
Consequences and Implications
The discovery of these malicious packages has significant implications for the security of the NPM ecosystem. With over 86,000 downloads, the potential damage is substantial. As Koi noted, PhantomRaven demonstrates how sophisticated attackers are getting better at exploiting blind spots in traditional security tooling. The fact that 80 of these malicious packages remained available on NPM as of Wednesday morning highlights the need for improved security measures.
For more information on this vulnerability and the PhantomRaven campaign, visit the Koi blog post. To stay up-to-date on the latest developments and learn more about NPM security, follow Here
Image Credit: arstechnica.com