The npm registry's safe word is Socket

Trending 6 months ago

Exclusive Socket has recovered a measurement to protect developers from npm, GitHub's insufficiently safe JavaScript package manager, by wrapping it successful a information blanket.

The npm registry, operated by NPM until nan information biz was acquired by Microsoft's GitHub successful 2020, hosts package packages for nan JavaScript ecosystem. It is, by its ain account, "the world's largest package registry."

In nan past fewer years, nan maliciously inclined person progressively focused connected compromising package registries for illustration npm successful what's known arsenic a supply concatenation attack. Subverting a celebrated package room has nan imaginable to alteration wide viral distribution.

Those moving nan npm registry person put successful spot various defenses complete nan years, specified arsenic npm audit, a vulnerability scanning command successful nan npm bid statement interface (CLI). But nan tool's implementation leaves something to beryllium desired and developers often disregard audit informing messages, peculiarly if automated solution doesn't work.

Socket built its ain vulnerability scanning system and past twelvemonth made it disposable for free (with paid tiers for teams and organizations) for unfastened root projects. Its scanner runs arsenic a GitHub app connected codification repositories erstwhile changes are made. It catches more issues than npm audit – covering not conscionable proviso concatenation consequence but besides quality, maintenance, vulnerability, and licence concerns.

Ring successful immoderate changes

But Socket's scanner is besides now available arsenic a CLI that developers tin instal connected their machines. On Thursday, Socket updated its CLI pinch a safe npm bid that defends developers whenever they invoke npm instal aliases npm uninstall, which perversely tin instal packages amid removing others.

"npm creates what is called nan 'ideal tree' for a fixed package.json," Feross Aboukhadijeh, told The Register. "So by removing a package you mightiness really alteration what nan perfect character is. Removing a package whitethorn region a constraint which is keeping a package connected an older version, truthful past npm whitethorn update those packages to a much ideal/recent version."

The logic origin for this interest is that JavaScript packages distributed via npm tin beryllium compromised. According to Aboukhadijeh, Socket has seen much than 200 packages removed conscionable successful nan past 30 days.

  • This JavaScript scanner hunts down malware successful libraries
  • Google debuts OSV-Scanner – a Go instrumentality for uncovering information holes successful unfastened source
  • Microsoft Azure developers targeted by 200-plus data-stealing npm packages
  • Open root package has its perks, but proviso concatenation risks can't beryllium ignored

Aboukhadijeh said that nan mean npm package has 79 transitive dependencies, truthful installing 1 is apt to bring dozens of further packages on for nan ride. And vetting each of those manually is not thing astir group person nan ability, time, aliases inclination to do.

While utilizing npm audit whitethorn aboveground known vulnerabilities, nan Socket CLI now goes deeper, acknowledgment to nan summation of nan safe npm command. It tin beryllium group up by moving npm instal -g @socketsecurity/cli, which adds a socket bid to nan PATH biology adaptable that specifies wherever executable programs tin beryllium found.

Thereafter, developers tin invoke nan instrumentality by entering socket npm instal alternatively of npm install. And aliasing nan bid tin make this much convenient still. The org recommends adding othername npm="socket npm" to their .bashrc floor plan (or .zshrc, aliases immoderate ammunition is being used) truthful that nan acquainted npm instal invocation passes transparently to nan Socket CLI.

Demo of an npm command-line relationship pinch Socket's information on

"Socket’s safe npm instrumentality transparently wraps nan npm bid and protects nan developer from malware, typosquats, instal scripts, telemetry, protestware, and much – 11 issues successful all," it said.

This attack tin besides defender against much fraught commands for illustration npx and npm exec, which instantly execute downloaded code.

"Due to nan prolific usage of these commands, we made judge to adhd protection for these commands too, truthful that you don't accidentally tally bad codification by copy-pasting an npx bid from a README record aliases StackOverflow reply and get compromised," nan biz promised. ®