Close-up NPM package showing malware

Bug Allows Malware Authors To Add Reputable Contributors To Malicious NPM Packages Without Their Knowledge or Consent

A logical flaw in NPM, the default package manager for Node.js, allowed developers of malicious NPM packages to add trusted contributors to boost trust and enhance malware distribution.

Dubbed “package planting,” attackers could add legitimate contributors to malicious packages as “maintainers” without their approval or notifying them.

Additionally, threat actors could silently remove themselves from the malicious package, leaving behind the trusted contributors as the sole maintainers.

The threat actors intended to link the authors of popular NPM libraries to the attacker’s poisoned package to lure developers into downloading them.

Malware-laced NPM packages could cause supply chain attacks and inflict reputational damage

Cloud security firm Aqua says the logical flaw meant that an adversary could create malicious packages and unilaterally associate them with maintainers of popular packages without their consent or knowledge.

“Up until recently, NPM allowed adding anyone as a maintainer of the package without notifying these users or getting their consent,” Aqua security researcher Yakir Kadkoda said in a report published Tuesday.

By carefully selecting popular contributors, malware distributors could bump the reputation of their malicious NPM packages.

He noted that the risks of a supply chain attack are significant from the vulnerabilities disclosed in the NPM platform. Additionally, the flaw could inflict reputational damage on the package maintainers listed on malicious NPM packages.

Apart from malware distribution, malicious individuals could leverage package planting to defame, embarrass, and banish popular developers from the platform. This could happen when NPM finally discovers malicious NPM packages solely associated with the victims.

Kadkoda demonstrated how attackers could add reputable contributors to malicious NPM packages. He created a demo package, ‘fb_npm_package,’ and successfully added official Facebook and NPM accounts as maintainers before removing himself.

He noted that a simple invite confirmation mechanism could prevent the forced addition of contributors to malicious NPM packages.

However, the researcher confirmed that the issue was remediated by NPM on April 26, making it impossible to add contributors to NPM packages without their approval.

Kadkoda stated that the issue could no longer be replicated and did not confirm whether the flaw had been exploited.

He advised developers to be cautious about the open-source packages they included in their software. Similarly, contributors should review NPM packages listed under their name to ensure that attackers had not added them to malware packages without their knowledge. NPM should also require that contributors manually confirm every existing repository earlier added to their name by third parties.

Meanwhile, Aqua researchers discovered two additional flaws in the NPM platform‘s two-factor authentication (2FA), allowing attackers to execute account takeover attacks and publish malicious packages.

NPM package planting flaw is hardly the only vulnerability affecting source and version control systems. Github also suffers a logical flaw that allows anyone to submit commits on behalf of another contributor. Similarly, attackers have successfully poisoned NPM, PyPi, and RubyGems open-source package managers with malware.

Balancing developer efficiency and code security

Dave Cundiff, CISO at Cyvatar, lamented that a process aimed at simplifying software development could have unintended consequences, including malware distribution.

“There should never be an instance where some mechanism of a process can improve reliability or reputation without confirmation,” Cundiff said. “It is a noble aim to improve and aid developers in their goals, it is important to make software development as easy and self-service as possible, but there is a necessary balance that requires a modicum of review and accountability for these types of approaches.”

He absolved the NPM team from potential blame but hoped for more concrete steps to address security loopholes.

“This does not mean that NPM is bad or irresponsible, but hopefully, this does provide more than just a one-time fix by improving the approach to their review process for feature release.”