Manifest Confusion Threat Undermines Trust in Entire NPM Registry

Cyber Security Threat Summary:
The lack of metadata validation in the npm registry, which is widely used by developers to download Javascript code, has raised concerns about potential cyber threats. Despite being the largest software registry globally, with 17 million developers relying on it, the registry fails to perform checks on package metadata.

“However, former GitHub and npm manager, Darcy Clarke, explained in a blog post this week that the registry has failed to take action, despite knowing about the issue since last November. “I believed the potential impact/risk of this issue was actually far greater than originally understood and I submitted a HackerOne report with my findings on March 9. GitHub closed that ticket and said they were dealing with the issue ‘internally’ on March 21st,” Clarke explained. “To my knowledge, they have not made any significant headway, nor have they made this issue public – instead, they’ve actually divested their position in npm as a product the last six months and refused to follow-up or provide insight into any remediation work.” The issue itself arises from the fact that npm doesn’t validate manifest information (metadata) with the actual contents of an associated package or “tarball.” This means that, in theory, a package publisher could conceal important information such as which dependencies it has and which scripts the package runs. (InfoSecurity Magazine, 2023).

According to Clarke, this situation exposes npm users to various risks including:

  • Cache poisoning, where a saved package doesn’t match the name and version of the one in the registry
  • Installation of unknown or unlisted dependencies, thus tricking security and audit tools
  • Execution of unknown and unlisted scripts, again tricking security/audit tools
  • A potential downgrade attack where the version spec saved into projects is for a unspecified, vulnerable version of the package
Ax Sharma, a security researcher at Sonatype, emphasized the significance of developers not solely relying on metadata due to the discovery of manifest confusion. He pointed out that inaccuracies can be present in metadata due to the discovery of manifest confusion, not necessarily as a result of malicious intent, but due to scenarios like cloning or forking legitimate projects, or when outdated metadata is retained in newer package manifest files or npm registry packages.

Security Officer Comments:
Furthermore, Sharma concluded that if developers neglect to utilize analysis tools, they run the risk of being vulnerable to attacks wherein threat actors introduce malicious dependencies or insert malicious installation scripts. These threats could go unnoticed by solutions that solely rely on manifest data. Therefore, it’s crucial for developers to incorporate deeper analysis techniques, such as hash-based analysis, to mitigate these risks effectively.

Suggested Correction(s):
Researchers recommend that authors and maintainers of packages take steps to mitigate manifest confusion on npm until Github devises a plan to address the issue. One suggested approach is to reduce reliance on manifest data and obtain metadata, excluding the name and version from more secure ‘package[.]json’ files that are less susceptible to manipulation. Furthermore, implementing a registry proxy between the package database and npm client can offer an additional layer of protection. This proxy can incorporate extra checks and validations to verify the consistency between the manifest data and the information contained in the package’s tarball. By adopting these protective measures, developers can enhance the integrity and security of their packages on the npm registry.

Link(s):
https://www.infosecurity-magazine.com/news/manifest-confusion-threat-trust/
https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem