6 Common npm Vulnerabilities and How to Fix Them

npm is the default package manager for the JavaScript runtime environment Node.js.

January 22, 2023

What Is npm?

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. npm stands for Node Package Manager. npm makes it easy to reuse code across projects, and to share code with others. It also provides a convenient way to keep your project dependencies up to date.

With npm, you can install and manage packages (libraries, frameworks, tools, etc.) that you use in your Node.js projects. These packages are published to the npm registry, which is a public repository of packages that anyone can use. 

To use npm, you need to install Node.js on your system. Once you have Node.js installed, you can use npm to install packages from the command line by running npm install <package-name>. You can also use npm to manage your project dependencies by creating a package.json file in your project directory, which specifies the dependencies that your project requires.

This is part of a series of articles about supply chain security

In this article:

What Are npm Security Vulnerabilities?

Like any software, npm packages can sometimes contain security vulnerabilities that can be exploited by attackers. These vulnerabilities can be introduced through a variety of means, such as by the package maintainer intentionally introducing malicious code or by someone discovering and exploiting a weakness in the package’s code.

The impact of npm security vulnerabilities can vary depending on the specific vulnerability and the extent to which it is exploited. In some cases, a vulnerability may allow an attacker to execute arbitrary code on the user’s system or to steal sensitive information. In other cases, the vulnerability may be less serious, such as allowing an attacker to perform a Denial of Service (DoS) attack or to access resources that they would not normally have access to.

It is important for developers to be aware of npm security vulnerabilities and to take steps to mitigate their impact. This may involve regularly updating packages to the latest versions, which may include security patches, and being careful about which packages are installed in a project. It is also a good idea to use automated tools that can help to identify vulnerabilities in installed packages.

Common npm Vulnerabilities and How to Fix Them 

Private npm Packages Disclosed via Timing Attacks

A timing attack is a type of cyber attack that seeks to exploit vulnerabilities in software by analyzing the time it takes for the software to perform a specific task. Timing attacks can be used to gather sensitive information about a system, such as passwords or encryption keys.

In the context of npm, a timing attack could potentially be used to disclose the contents of private npm packages. This could occur if an attacker is able to measure the time it takes for the npm registry to respond to requests for package metadata, and use this information to deduce the contents of private packages.

To mitigate vulnerabilities related to timing attacks in npm:

  • Use a firewall or other security measures to protect your network and prevent unauthorized access to your npm account and private packages.
  • Keep your npm client and other software up to date with the latest security patches to fix known vulnerabilities.

By following these steps, you can help protect your npm account and private packages from vulnerabilities related to timing attacks and other security threats.

npm Flaws Enabling Target Attacks 

A target attack is a type of cyber attack that seeks to exploit vulnerabilities in a specific target, such as a website, network, or system. Target attacks can take many forms, such as denial of service (DoS) attacks, SQL injection attacks, or cross-site scripting (XSS) attacks.

There have been instances where vulnerabilities in npm have enabled target attacks. For example, in 2018, a malicious package called “event-stream” was published to the npm registry, which contained code that was designed to steal Bitcoin from users of the popular cryptocurrency wallet app “Copay”. This package was downloaded over 2 million times before it was discovered and removed from the registry.

To mitigate vulnerabilities related to target attacks in npm:

  • Use npm audit to scan your project for known vulnerabilities and take action to fix them.
  • Use a security scanner or other tool to regularly check your project dependencies for known vulnerabilities.
  • Consider using a package manager that includes security features, such as Snyk, to automatically check your dependencies for vulnerabilities.

npm Account Takeover Attacks

An npm account takeover attack is a type of cyber attack in which an attacker gains unauthorized access to someone else’s npm account. This can allow the attacker to modify or delete packages, or to publish malicious packages under the victim’s account. Account takeover attacks can have serious consequences, including the compromise of sensitive data, the disruption of services, and the loss of reputation.

There have been several instances of npm account takeover attacks. For example, in 2017, an attacker was able to gain access to the npm account of the popular JavaScript library “left-pad”, and delete the package from the registry. This caused widespread disruption, as many other packages depended on “left-pad” and were unable to install or run as a result.

To protect against npm account takeover attacks:

  • Use strong, unique passwords for your npm account, and enable two-factor authentication (2FA) for an extra layer of security.
  • Use a password manager to help you generate and store secure passwords.
  • Be cautious when clicking on links or downloading attachments in emails, as these can be used to trick you into revealing your npm account credentials.
  • Monitor your npm account for unusual activity, and take appropriate action if you suspect that you have been the victim of an account takeover attack.

Poisoned Packages

Poisoned packages are npm packages that contain malicious code or other harmful content. Poisoned packages can be used to exploit vulnerabilities in software, steal sensitive data, or perform other malicious actions.

Aqua Security published a report on poisoned npm packages that had been detected in the npm registry. Aqua found that many of the poisoned packages had names that were similar to popular packages, in an attempt to trick users into installing them. The report also found that the majority of the poisoned packages were related to cryptocurrency or blockchain technology, and that they were often used to steal cryptocurrency or perform other malicious actions.

To protect against poisoned packages:

  • Use a private npm registry service, such as Verdaccio, that provides additional security controls and checks for package vulnerabilities.
  • Be cautious when installing npm packages, especially if you are not familiar with the publisher or the package name seems suspicious.

ua-parser-js Library Vulnerability 

This incident in October 2021 involved attackers inserting malicious code into several versions of the ua-parser-js library after hijacking the npm account of the library’s main developer, Faisal Salman. This vulnerability was downloaded over 8 million times within one week during October 2021, and numerous other libraries use it as a dependency. The versions affected were 1.0.0, 0.7.29, and 0.8.0.

The ua-parser-js library can be used to identify user attributes such as device, browser, and operating system by parsing user-agent strings. The widespread use of this library demonstrates that developers implicitly trust widely-endorsed, community-supported libraries. The October 2021 exploit compromised the 

During the exploit, Salman’s email account became flooded with hundreds of spam messages. This email bombing was intended to serve as a smokescreen for emails contained sensitive information, such as notifications of password resets. Fortunately, the developer noticed this early and identified the malicious activity, but this wasn’t enough to prevent all damage. 

The attack was able to compromise users of the ua-parser-js library users for several hours. The vulnerability was addressed in the updated library versions: 1.0.1, 0.7.30, and 0.8.1. However, ua-parser-js users should assume they were affected by the compromise, especially if they’ve used a compromised version. Other projects that depend on the library might also remain compromised, and the full impact of the supply chain attack could still be unknown. 

To protect against the ua-parser-js vulnerability:

  • Update to a version that is not affected by the vulnerability – the vulnerability is fixed in these library versions: 1.0.1, 0.7.30, 0.8.1.
  • Look for the presence of the following on their machines: jsextension.exe binary, jsextension Linux ELF binary, and instances the create.dll trojan.
  • Rotate all credentials. Password stealers like create.dll can compromise credentials for various sensitive applications, so keeping the same credentials presents the opportunity for data theft and persistent threats.

DLL Hijacking via npm CLI

DLL hijacking is a type of attack that exploits vulnerabilities in Windows software to execute malicious code on a user’s system. DLL hijacking attacks often involve an attacker replacing a legitimate dynamic link library (DLL) file with a malicious DLL file that is loaded by the software when it starts. This can allow the attacker to gain access to sensitive data or perform other malicious actions.

Node.js uses binary artifacts, such as DLL files, to provide functionality to applications. If a malicious DLL file is included in a Node.js package or repository, it could potentially be loaded by Node.js and used to execute malicious code.

To protect against DLL hijacking attacks and other security threats, it is important for Windows users to upgrade to the latest version of Node.js. Newer versions of Node.js include security fixes and other improvements that can help protect against vulnerabilities.

It is also important to be cautious when using binary artifacts in repositories and packages. Be sure to verify the source and integrity of any binary artifacts that you use, and consider using a private npm registry service, such as Verdaccio, which provides additional security controls and checks for package vulnerabilities.

Supply Chain Attack Protection with Aqua Security

Aqua Security provides enterprise-class security solutions to secure cloud native applications and environments from software supply chain attacks. Detect malware and anomalous activity that only manifests at runtime, without putting production environments and sensitive data at risk. Aqua Dynamic Threat Analysis (DTA) deploys containers in a secure sandbox environment and documents the entire attack killchain, providing unprecedented insight to security and forensics teams and establishing a security gate to block promotion of malicious artifacts into production.
For more information, find out how Aqua helps protect you from supply chain attacks