The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Defending against malicious packages in the npm ecosystem and beyond

Fred Bals

Jun 30, 2023 / 2 min read

Software packages are a popular means to distribute open source and third-party software. They are often pulled from an outside source through a package manager or installer program, and they typically include source code, libraries, documentation, and other files needed to build and run the software.

malicious package contains malware disguised as a legitimate package, and it is intended to infiltrate and infect software. Once a malicious package’s malware enters a system, it can potentially steal sensitive data, disable security software, modify or delete files, and even take over an entire system or network for its own nefarious purposes.

Unlike code weaknesses and vulnerabilities—which can exist in software for months or years without being exploited—a malicious package is almost always a direct and immediate threat that you need to address, especially when it comes to the software supply chain. According to Gartner, 45% of organizations worldwide have experienced attacks on their software supply chains, a three-fold increase from 2021. Attackers have found that supply chains offer a near-limitless attack surface that can be vulnerable through automatic software updates, software-as-a-service (SaaS) tools, the cloud, and even AI-generated false information (popularly known as “hallucinations”) that can be exploited to trick developers into downloading malicious packages.


Popular vectors for malicious packages

The most common vectors for malicious packages include brandjacking, typosquatting, dependency hijacking, and dependency confusion. Brandjacking means an attacker assumes the online identity of the legitimate owner of a package. In typosquatting, an attacker publishes a malicious package with a name similar to a popular package in the hope that a downloader will unintentionally fetch the malicious version. Dependency hijacking and dependency confusion attacks also rely on substitutions of malicious packages for the real versions. In 2018, for example, a malicious package was published to npm, the world’s largest software registry, and added as a dependency to the widely used “event-stream” package. It was downloaded more than 8 million times in less than three months.

The four major open source ecosystems

There are four major open source ecosystems: Java, Python, .NET, and the largest and most popular of them all, JavaScript. Each has its own package distribution and management system. The default package manager for JavaScript's runtime node.js is npm. JavaScript and npm are not any less secure than the other three ecosystems, but their ubiquity has made them a target of choice for malicious actors. Whatever open source ecosystem you prefer, malicious packages can pose serious risks to the integrity and security of your applications.

Identifying malicious code and preventing it from entering your SDLC

The threat of malicious packages in npm requires proactive measures to mitigate the risks. Here are three strategies that developers should adopt to defend against inadvertently installing malicious packages.

  • Validate the libraries you download. Double-check the reputation and trustworthiness of the package. Look for signs of fake accounts or impersonations, and verify the legitimacy of the package’s source before installing it.
  • Review package ownership and maintenance. Be cautious when using packages that have recently changed maintainers. Be wary of significant changes in functionality among different versions.
  • Use npm security tools. These include the npm audit and npm shrinkwrap commands, which can help prevent the installation of a malicious package.

Proactively, consider implementing one of the many software composition analysis (SCA) tools available today. Look for one that will automate the creation and maintenance process for a Software Bill of Materials (SBOM) of open source and third-party code. Many SCA tools will continuously monitor for and advise of new security threats as they appear and will deliver timely advisories of security threats with actionable mitigation advice.

For a more detailed examination of the threat of malicious packages in the npm ecosystem with real-world examples and mitigations, please see our complimentary eBook at the link below.

Continue Reading

Explore Topics