Warning: JavaScript registry npm vulnerable to 'manifest confusion' abuse

The npm Public Registry, a database of JavaScript packages, fails to comparison npm package manifest information pinch nan archive of files that information describes, creating an opportunity for nan installation and execution of malicious files.

In a blog post published connected Tuesday, Darcy Clarke, who was unit engineering head for nan npm CLI (command statement interface) squad from July 2019 done December 2022, calls this "manifest confusion" and says it represents a imaginable package proviso concatenation vulnerability.

"The npm Public Registry does not validate manifest accusation pinch nan contents of nan package tarball, relying alternatively connected npm-compatible clients to construe and enforce validation/consistency," Clarke explains.

Clarke is not an wholly disinterested statement pinch respect to npm. He's processing an replacement JavaScript registry and package head called vlt.

According to Clarke, nan npm Public Registry server has ne'er done manifest validation. It's an rumor that has nan imaginable to impact a batch of developers – npm, acquired by Microsoft's GitHub successful 2020, is utilized by more than 17 cardinal developers and hosts much than 3 cardinal packages. Last month, it served complete 215 cardinal downloads.

The registry.npmjs.com endpoint, Clarke says, will fto registered developers people packages utilizing a PUT petition to nan due URI.

"The rumor astatine manus is that nan type metadata (a.k.a. 'manifest data') is submitted independent from nan attached tarball which houses nan package's package.json," he explains. "These 2 pieces of accusation are ne'er validated against 1 different and [this] calls into mobility which 1 should beryllium nan canonical root of truth for information specified arsenic dependencies, scripts, license, and more."

The tarball – a compressed archive of files – gets signed, but nan sanction and type fields declared successful nan package.json record tin beryllium different from nan sanction and type fields successful nan manifest because they're not validated.

This deficiency of validation presents respective risks, Clarke says, including cache poisoning, nan installation of unanticipated dependencies, nan execution of unanticipated scripts, and type downgrade attacks.

• GitHub debuts pedigree cheque for npm packages via Actions
• Python Package Index had 1 personification on-call to clasp backmost play malware rush
• Worried astir nan information of your code's dependencies? Try Google's Deps.dev
• So you want to merge OpenAI's bot. Here's really that worked for package information scanner Socket

The problem came up successful a bug report past year, though we person nary uncertainty others spotted it earlier.

According to that report, nan published package @datadog/native-metrics declared an instal book but nan attached tarball of files included a package.json record without an instal script. While this wasn't a information issue, it could person been.

Asked whether deficiency of resources for npm improvement nether GitHub led to this authorities of affairs, Clarke told The Register that while he believes GitHub underinvested successful npm, "I deliberation this rumor really went unnoticed for truthful agelong because of nan horrible deficiency of up-to-date registry documentation."

"Many consumers don't interact straight pinch nan registry interface truthful they only cognize what nan developer tools/package managers opportunity astir nan published packages," he explained.

"I besides deliberation nan first logic this came to walk was because npm, successful its infancy, had some nan customer and registry unfastened sourced."

The Register understands that nan npm Public Registry hasn't been afloat unfastened root since early 2014, astir 4 years aft its first release. Clarke's proposal is that since then, npm registry codification hasn't received arsenic overmuch attraction arsenic it mightiness person otherwise.

The ecosystem is presently nether nan incorrect presumption that nan manifest ever contains nan contents of nan tarball's package.json

The imaginable for "manifest confusion," said Clarke, besides affects various third-party devices and JavaScript package managers, though nether different circumstances.

"The cardinal constituent to make present is that nan ecosystem is presently nether nan incorrect presumption that nan manifest ever contains nan contents of nan tarball's package.json," said Clarke, who again pointed to nan deficiency of archiving astir nan request for npm customer package to guarantee manifest-tarball consistency.

In an email to The Register, Feross Aboukhadijeh, CEO of information biz Socket, said nan rumor raised by Darcy Clarke is valid and applicable to astir each package managers and information devices successful nan space, pinch nan objection of Socket, natch.

"The tldr of this rumor is that it lets an attacker see a dependency successful a package that won’t show up connected nan npm website, moreover though nan CLI will really instal it," said Aboukhadijeh.

"The Socket investigation squad independently discovered this alleged “manifest confusion” rumor and deployed a hole for it connected September 5, 2022. Since that date, each dependency study connected Socket has been utilizing nan correct manifest record – specifically, nan package.json wrong nan tarball – which matches nan installation behaviour of each awesome package manager. That intends that nan 'manifest confusion' method would not successfully hide limitations from Socket’s analysis.

It lets an attacker see a dependency successful a package that won’t show up connected nan npm website, moreover though nan CLI will really instal it

"However, nationalist package pages connected Socket, specified arsenic this page for left-pad, were utilizing a different information root based connected nan registry metadata. We’ve resolved this rumor today.

"Furthermore, we were already successful nan process of processing a caller proactive discovery for this method arsenic of past week, and we're rolling it retired today. This intends that immoderate statement utilizing Socket will person a captious information alert if 1 of their limitations attempts to usage this method successful nan chaotic (which is astir apt rather apt now that this method is public)."

Aboukhadijeh said nan broader rumor of information value successful tooling should beryllium considered because astir package creation study (SCA) devices don't do a very bully occupation generating meticulous dependency graphs.

"Without throwing immoderate circumstantial information vendors nether nan bus, I’ll conscionable opportunity that each 1 of nan dependency devices I’ve tested misses full limitations because of shortcuts taken, and a basal nonaccomplishment to understand nan npm package installation process," he said.

"It’s for illustration astir information vendors conscionable get to a 'minimum viable product’ and vessel it. For that reason, I’m grateful to Darcy for raising consciousness of this issue."

GitHub did not respond to a petition for comment. Socket has much info for developers astir this manifest disorder rumor here, issued today. ®