A safety researcher and system administrator has developed a software that may assist customers test for manifest mismatches in packages from the NPM JavaScript software program registry.
Final week, a former engineering supervisor at GitHub and NPM, Darcy Clarke, warned about “manifest confusion” issues that would introduce the chance of malware hiding in dependencies or executing scripts throughout set up.
“Manifest confusion” refers to a safety challenge within the NPM (Node Package deal Supervisor), a package deal supervisor for the JavaScript programming language and the default one for the Node.js setting.
The issue is with the inconsistent data between a package deal’s manifest information as displayed within the NPM registry and the information current within the ‘package deal.json’ file of the printed package deal.
A malicious actor may manipulate the manifest information of a brand new package deal, eliminating sure scripts or dependencies in order that they don’t seem within the NPM registry.
Nevertheless, these scripts or dependencies would nonetheless be current within the package deal.json file and can be executed when the package deal is put in, with out the person being conscious.
This downside probably exposes builders to dangers reminiscent of cache poisoning, set up of unknown dependencies, execution of unknown scripts, and presumably even downgrade assaults.
Since GitHub has but to handle the issue and it’s unclear what the platform plans to do, Clarke steered that package deal maintainers take away reliance on manifest information and use a registry proxy to carry out information consistency checks.
Manifest confusion checker
Till an answer is carried out, sysadmin Felix Pankratz has launched a Python-based software that may assist software program builders test the NPM packages for inconsistencies.
To make use of the software, first, set up the PIP Python package deal supervisor with “pip set up -r necessities.txt.”
To examine a single package deal, cross the package deal’s title to the script as the primary argument. For instance:
$ ./npm-manifest-check.py darcyclarke-manifest-pkg
The output will spotlight any mismatches within the model, dependencies, scripts, and package deal title between the manifest and the precise package deal.json file.
For a package deal with none mismatches, the output ought to seem like this:
$ ./npm-manifest-check.py shade
No mismatch detected for shade.
To examine a number of packages, builders can add them to a ‘packages. listing’ file (one package deal per line) and use the ‘check_packages.sh’ wrapper script to test them. The software will report any mismatches discovered on every of the checked packages.
To grasp all features of the utilization of Pankratz’s software, test the assistance command with:
./npm-manifest-check.py -h
Manifest confusion isn’t a widespread or essential downside within the NPM group proper now, however ignoring it’s not the secure strategy to go as risk actors may begin utilizing it for supply-chain assaults.
