2022 Review of NPM-Based Vulnerabilities

NPM made headlines in 2022 after a staggering rate of vulnerabilities was discovered in over 50 popular packages, putting countless projects and organizations at risk. Unfortunately, many organizations underplay or ignore NPM vulnerabilities. Are you one of the many developers relying on NPM without realizing the countless security holes in your code? It's time to take a closer look and understand what could be lurking in your projects.

We will uncover the latest findings from the NPM security landscape and why it is crucial for you to prioritize package manager security in your development process.

Node Package Manager 101

NPM (Node Package Manager) is a package manager for Node.js. Since its first introduction in 2009, it has grown in popularity due to its ease of use and substantial package repository, with over 1.3 million packages and 100 billion downloads per month.

NPM enables developers to easily install, manage and share packages used in web development projects.  The popular server-side JavaScript runtime environment, Node.js, comes with NPM prepackaged, making it easier for developers to interact with the NPM registry to install packages and manage their project dependencies.The Node Package Manager is a well-thought-out, robust package manager that consists of two main components:

• NPM Registry
• NPM CLI

NPM Registry

The NPM registry is one of the most popular centralized repositories of open-source packages that enables developers to access and download various packages easily.

When a developer wants to use a package in their project, they can search for it in the NPM registry using the NPM CLI (Command Line Interface). Once they find the package they want, they can easily install it into their projects with a single command.

In addition to the NPM registry being a place to find and install packages, it also helps developers manage dependencies between packages. When a developer installs a package, NPM automatically installs any dependencies it requires, making it easier for developers to manage the package they use in their projects.

NPM CLI

NPM CLI (Command Line Interface) is a command line tool developers use to interact with the Node Package Manager. It is a powerful tool that allows developers to easily install, manage, and share packages of code used in web development projects.

The NPM CLI comes bundled with Node.js, and developers can easily access it via the terminal or command prompt on any operating system. It allows developers to perform a range of commands to perform various actions, such as:

• Installing packages: Developers can easily use the npm install command to install packages from the NPM registry into their projects.
• Managing dependencies: The NPM CLI helps manage the dependencies between packages, automatically installing any dependencies required by a package when installed.
• Searching for packages: Developers can use the npm search command to search for packages in the NPM Registry.
• Publishing packages: The npm publish command publishes packages to the NPM Registry, making them available to the broader development community.
• Updating packages: Use the npm update command to update packages to their latest version.
• Uninstalling packages: Remove packages from projects using the npm uninstall command.

Unfortunately, the Vulnerabilities are Endless

Even though NPM allows developers to quickly search, install, and maintain required packages from the NPM registry, using packages within the repository comes with its own set of challenges.

Since the NPM registry is a collection of open-source packages, the responsibility of maintaining these packages falls into the hands of the contributors and owners of each package. Although many open-source projects thrive with the community's support, some packages fall through the cracks and end up with significant security issues and flaws. Therefore, developers who use these packages must be mindful of their stability when considering packages.

The More Downloads, the Merrier?

To put things into perspective, the NPM registry sees billions of downloads per week, and sometimes popular packages such as express see millions of downloads each week. These statistics indicate that this package version will run on millions of applications. Therefore, a single flaw within this package will impact all the applications relying on it.

Following the need for reusable code that can be easily installed and used in applications, the need for more versatile packages increased significantly. The NPM registry is at the forefront of this journey as contributors flock to contribute to existing packages and even submit new packages that are free for anyone to use.

With this increase in new packages, there is also an increase in the number of vulnerabilities that surface. The most significant reason remains to be a monetary gain for attackers. Attackers actively look for vulnerabilities within the most popular packages as the sheer size of their usage can cause devastation amongst all users.

Attacks Lurking Under the Surface

Some revolutionary attacks that would not even be evident to the developer at first glance can occur. For example, attacks such as the NPM lockfile injection enable the hacker to modify the dependencies in a lockfile to introduce a security vulnerability or exploit a project. It typically occurs when an attacker gains access to a project's source code repository and modifies the lockfile to include a malicious version of a package that can be used to execute arbitrary code.

In addition to the vulnerabilities within the NPM packages, significant vulnerabilities have been detected within the package manager itself.

For example, in 2022, security researchers at Aqua identified a logical flaw dubbed Package Planting within the package manager and how it handles maintainers of a specific package. It effectively allowed an attacker to create a malicious package and assign them to popular and trusted maintainers without their knowledge. If exploited properly, attackers would theoretically be capable of infecting millions of applications by tricking developers into thinking that these packages are legitimate.

NPM can also introduce vulnerabilities and exploits that execute arbitrary commands on the developer's workstation. Arbitrary command execution in NPM refers to a vulnerability in the NPM package manager that allows an attacker to execute arbitrary commands on a targeted system through a malicious npm package. This attack can occur when an NPM package is installed, and its post-install script contains malicious code executed on the targeted system. This vulnerability can compromise the targeted system, data theft, and other security issues.

3 Steps to Remediation

As developers, we need to understand that vulnerabilities and attackers are here to stay and will only grow with time. The only way around this paradigm is to combat the vulnerabilities within the packages and the package manager itself.

There are some tried and tested approaches to securing these components within the development process. Some of the more popular options are:

1. NPM Audit
2. OWASP NPM Security Best Practices
3. Third-Party Tools To Evaluate Package Security

1. NPM Audit

The go-to tool for most developers can be the npm audit command that runs a security audit against the packages and their dependencies while identifying security vulnerabilities. While simple, it provides a comprehensive look into each package and allows developers to fix any vulnerabilities identified by updating these vulnerable packages to a more stable version.

It is important to note that every new package installation executes the npm audit command. Therefore, it performs a security assessment of the package even before installation begins.

2. OWASP NPM Security Best Practices

OWASP is a leader in defining security best practices and provides significant guidance for securing NPM packages:

1. Keep packages up to date: Regularly updating packages can ensure that any known vulnerabilities are patched and that the latest security features are available.
2. Use secure package sources: Only download packages from trusted sources, such as the official NPM registry, to minimize the risk of downloading malicious packages.
3. Verify package signatures: Verify the signatures of packages before installing them to ensure they have not been tampered with.
4. Use package security tools: Tools like npm audit can help identify package vulnerabilities and guide how to fix them.
5. Use strong authentication: Use robust authentication mechanisms, such as two-factor authentication, to protect your NPM account and prevent unauthorized package access.
6. Use version pinning: Specify exact versions of packages in your project's dependencies to prevent unexpected updates that could introduce vulnerabilities.
7. Perform regular security assessments: Regular security assessments help identify package vulnerabilities and provide an opportunity to take remedial action.
8. Educate developers: Provide training and resources to help developers understand the importance of secure NPM package management and best practices.

3. Third-Party Tools to Evaluate Package Security

Although built-in tools provide developers with a mechanism to securely use and maintain NPM packages, specific tools designed to perform these tasks are also an excellent option for securing the development processes.

You could choose a specialized tool that analyzes NPM packages' code and identifies potential security issues, such as dependencies on known vulnerable packages, potential security exploits, and violations of best practices for secure coding.

Securing NPM Packages to Secure Your Applications

The recent surge in NPM vulnerabilities emphasizes the need to prioritize package security in the development process. Many popular packages contain vulnerabilities, so organizations must assess the NPM security landscape and identify any security weaknesses in their code. Ignoring package security can pose a threat to projects and organizations. By being proactive and taking steps to address potential security issues, organizations can secure their applications and earn the confidence of their users.

Spectral provides NPM vulnerability scanning and is available as a standalone solution or as a component of CloudGuard CNAPP. Spectral scans code, settings, and other artifacts for security vulnerabilities and defends against them. 

CloudGuard CNAPP provides a fully integrated developer solution that streamlines cloud security operations from code to cloud. With CNAPP, you have a unified platform that not only identifies security issues throughout your pipeline but also provides in-depth insights and context. This allows you to understand effective IAM permissions and privileges and prioritize risks across your entire cloud infrastructure.

Author: Dotan Nahum