Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Discovered On Node.js Package Manager npm (softpedia.com)

Posted by timothy on from the found-by-the-good-guys dept.

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

30 of 90 comments (clear)

  1. Why would anyone use JavaScript?! by Anonymous Coward · · Score: 2, Funny

    I can sort of understand using JavaScript in the browser. After all, it's the only option. But server-side?! There is no such restriction!

    Why the heck would anyone choose to use such an awful, crippled language when they have numerous superior options?!

    It baffles my mind how somebody would go out of their way to use such an awful language when there are so many better options available.

    I'm not one to pre-judge. I tried out JavaScript, Node.js and npm for myself. I couldn't believe just how awful they were! Everything about them feels like a regression compared to their competitors.

    1. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 3, Informative

      Because cheap code monkeys cannot write real code.

    2. Re:Why would anyone use JavaScript?! by i.r.id10t · · Score: 5, Insightful

      Aside from that, why are libraries pulled in dynamically from the intertoobs on a production server? Why aren't the libraries packaged like Perl CPAN stuff, or PHP PEAR stuff, to be downloaded (and signature verified?) to the server or dev machine and accessed only locally? Heck a tar.gz file with a posted list of hash sums would be more secure. This is all old hat stuff that has been solved in multiple ways, no reason at all for it to be an issue now.

      --
      Don't blame me, I voted for Kodos
    3. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 3, Interesting

      Said otherwise:

      Because the new generation wants fully-automatic updates, without a care for security at all. They won't even pay someone else to do it manually regularly.

      Plus it's great for targeted infection of people deemed dangerous to the "rich and powerful", without having to mess with the network.

    4. Re:Why would anyone use JavaScript?! by pdvalentini6650 · · Score: 3, Informative

      When you are fluent in one language you speak that language even if there are better options.

    5. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 2

      I'm not sure how JavaScript would be that different than any other scripting language (Perl/Ruby/Python/PHP/Groovy), and those seem to have viable web ecosystems Not 100% sure where the hate for JS is coming from. Unless it's a disdain for scripting languages in general. That would generally leave you with C#/Java and Java, historically, has been the only cross platform solution, and the language has stagnated heavily over the last decade (though 1.8 and 1.9 are showing signs of life).

      --
      je suis parce que j'aime
    6. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 4, Interesting

      Javascript has some terribly bad parts (as does perl and php) and I would concur that languages like Python/Ruby seemed to be planned in entirety a bit more. I would recommend looking at ES2015+, the next revision of the Javascript. It does a lot to curb those issues (JS actually has a "strict" mode that handles some of the gotchas), and ES2015 adds proper module support, as well as a standard class syntax.

      These features have been in use for years by transpilers (to cover the gap between agreement on a new language feature and the time before it is adopted by the runtimes). Typescript is an even more powerful extension of ES2015 that adds compile-time type analysis/verification but generates nearly perfect idiomatic ES2015 code.

      --
      je suis parce que j'aime
    7. Re:Why would anyone use JavaScript?! by gweihir · · Score: 2

      Because cheap code monkeys cannot write real code.

      Sad, but true. We do not have to few coders. We have far too many and most of them bad.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 2

      As a server side language, I'm extremely torn. I've actually been using Typescript pretty heavily lately (and decorators), and it makes the code I write not too far off from the Spring/Java code I would generally write. My biggest concern with NodeJS is the maturity of the ecosystem, and how it plays with enterprise software development. One of my goto examples is LDAP support. There were a handful of libraries (circa 2014) that sort of worked, but had gaps, and ultimately required doing some odd trickery to work. The analog to Java would have been one or two libraries that are mature and just work.

      I personally find NodeJS is generally a fine experience, but the ecosystem (which is what the story is about) is just lacking structure that other languages have. It will mature, but may be a lot of pain along the way. The other day I had to choose between Python and NodeJS for a utility I was writing, and I went with Python because batteries were included, and I was afraid of trying to figure out how to include dependencies on the remote host in a consistent and manner.

      --
      je suis parce que j'aime
  2. How do we know it hasn't already? by Anonymous Coward · · Score: 4, Insightful

    How do we know that such techniques haven't already been used?

    Even if they fix these flaws, I think every single line of code in every single version of every single npm package will need to be reviewed by a team of security experts.

  3. Good thing leftpad broke it, then! by BenJeremy · · Score: 2

    Petulant developers save the internets!

  4. Javascript and security? by Anonymous Coward · · Score: 5, Insightful

    Wait... there are people who run Javascript code, on a server, as root? Untrusted Javascript code they don't control to boot? Uhhh, wow.

    1. Re:Javascript and security? by El_Muerte_TDS · · Score: 3, Insightful

      wget -O- https://example.org/install.sh | sh

      is a very common installation method presented by various tools (or via curl). In most cases you even need to run them as root due to the fact that the creators of those tools do not understand how to have their software work as non-root users.

      For example:
      https://toolbelt.heroku.com/de...
      https://docs.docker.com/linux/...
      https://nodejs.org/en/download...

    2. Re:Javascript and security? by Anonymous Coward · · Score: 2, Insightful

      I tend to see "curl" more often than "wget -O-", but it's the same problem.

      And when a software project recommends

      curl (some url) | sh

      I assume that the developers arrogant or incompetent.

      When the project recommends

      curl (some url) | sudo sh

      I assume that the developers are incompetent or malicious.

      But I'm a greybeard.

      The sad thing is that I've met bright, young developers who don't see it as a problem. "That's how the Internet works," they say, pointing at Javascript on the web. (I grind my teeth at JS+HTTP == web == Internet, but that's a separate issue.)

      After all, if your customers have enabled Javascript, they've already given up the idea of curating the code that runs on their system. There's no review, approval, QA, or audit trail. And if your customer base is okay with that (as 99% of the technical folks seem to be), why should you be the one to take on the additional work?

      And once your organization is okay with that thinking, then the curl/wget thing follows naturally. Same mindset and acceptance of risk.

      After all, being careful will just slow you down and let your competitor beat you in the market.

      It's almost enough to make one cheer the blackhats.

    3. Re:Javascript and security? by leptons · · Score: 2

      Wait... there are people who run Ruby code, on a server, as root? Untrusted Ruby code they don't control to boot? Uhhh, wow.

      Wait... there are people who run PHP code, on a server, as root? Untrusted PHP code they don't control to boot? Uhhh, wow.

      Wait... there are people who run Python code, on a server, as root? Untrusted Python code they don't control to boot? Uhhh, wow.

      FTFY...

      It isn't about the language, it's about package management. Singling out Javascript makes you look like an idiot because you don't understand the problem.

  5. Not really. Javascript breaks production by raymorris · · Score: 5, Interesting

    I don't think this is really applicable to any other language. With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

    With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production. You never see, never mind test, the code before it runs on your production systems. With any other language, you'd upgrade production to a known, vetted version only occasionally. If there was an issue the community hadn't already caught, hopefully you would catch problems in testing.

    We saw a similar problem last week - somebody removed their package from the repository and that broke everyone's production systems.

    This approach may sound insane. Because it is.

    1. Re:Not really. Javascript breaks production by __aaclcg7560 · · Score: 2

      With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

      As a Software QA test intern, I found a crash bug on the test server that I could easily reproduced 100% of the time. My manager could not no matter how many times I showed him how to do so. Since he couldn't reproduce it all, he signed off the update to the production servers. The bug crashed the production servers immediately. The engineers discovered a deep flaw in the code, pulled the production servers offline for three days, and the company lost $250K in revenues. My internship wasn't renewed and I wasn't hired full time (much to the disappointment of my manager). One-third of the staff got laid off a month after I left so the company could recover the lost revenues. That started a death spiral for the project.

      With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production.

      The copy-and-paste script kiddies haven't figured out that they need to host local copies of those files with their program files or on a CDN.

    2. Re:Not really. Javascript breaks production by KGIII · · Score: 2

      It's not like they assigned themselves that score. He needn't justify shit for you.

      --
      "So long and thanks for all the fish."
    3. Re:Not really. Javascript breaks production by Gr8Apes · · Score: 2

      Unfortunately the majority of the script kiddies, sorry, "rockstar ninjas" coding javascript don't have a clue what anything other than "file" means in your statement. They are insane, by our standards. And yes, I know where of I speak, as I'm having "fun" bringing a modified JS library into our client side framework for a new web client. To call it a pain in the ass would make counting parens in LISP a joy by comparison. It's exactly the regurgitated half-digested vomit I'd expect to come out of a bunch of script kiddies. The final fixed version will probably wind up not having saved me any time over writing the entire component from scratch, although the promise was there until I actually exercised the functionality we needed. Yes, I offered the fixes back up the chain. Apparently JS people (including NodeJS) don't really care about correctly functioning code.

      --
      The cesspool just got a check and balance.
    4. Re: Not really. Javascript breaks production by Stewie241 · · Score: 2

      What can happen is including npm install as part of your deployment process. Depending on how tightly you specify your dependencies this could result in packages getting updated to versions that have not been tested with your code by simply redeploying (or maybe somebody has put this in as part of the flex up process, so you end up with new app servers with slightly different code than older app servers.

      There are many ways to solve this, but it can get overlooked until you get bitten in the ass and deploy code that isn't what you thought you were because some package dev somewhere released a package upgrade.

  6. The issue with dep managers and version wildcards by Anonymous Coward · · Score: 2, Insightful

    I argue this with other devs a lot. Dependency managers, *especially* if you use version wildcards, are asking for trouble. Keep more of a handle on what your dependencies are, and only move versions if there's a compelling reason (security update, huge performance boost, etc).

  7. * to the best of my understanding. Details may be by raymorris · · Score: 4, Informative

    The above post is my (small) understanding of the issue. I'm sure node.js fans will point out a detail that I missed. I'm no expert on Node.js because as someone else pointed out, you use Javascript in the browser, despite it's many flaws, because you have no choice. On the server side, there are several much better options, so it would seem that only people too lazy to learn a server-side language would use Javascript on the server (or maybe some other special case).

  8. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 4, Funny

    I'm sure node.js fans will point out a detail that I missed.

    Nah, they'll just copy and paste someone elses reply that they found on StackOverflow.

  9. Not specific to Javascript by Junta · · Score: 2

    CPAN, PyPI, RubyGems, et al all encourage this behavior in a manner that enables a particular language developer.

    Similarly, prolifiretaion of other enabling technologies (e.g. copr, ppa, etc repositories or dockerhub hosted images) have similar implications at different levels.

    The thing is once upon a time, this was all a pain in the ass, to be tolerated until you would do the packaging all nice and neat. These rather nice things all came about because people didn't want to tolerate the pain in the ass of tracking all these dependencies just to get started, and suddenly pulling in some arbitrary library from the internet is not much more complex than a single include/import/use/whatever statement.

    So far so good, until people stop using it as something to get started and/or something to get their personal setup going, and started advocating fast and loose references as a way of life for production setups and delivering to third parties. There's an assumption baked into all these setups that code only ever gets better over time, and it's best to get 'latest' no matter what (even in the face of who knows what attempts to change things, with bugs and interface changes and all).

    --
    XML is like violence. If it doesn't solve the problem, use more.
  10. Re: * to the best of my understanding. Details may by Billly+Gates · · Score: 2

    But only node.js can be a total rockstar language man

    --
    http://saveie6.com/
  11. Re:The issue with dep managers and version wildcar by Junta · · Score: 2

    It really depends on the real audience.

    What I like to do is offer two paths to download. One via a channel like CPAN or such, and as a package repository. If someone asks 'how to run the code' I say 'add this package repository (yum/apt) that we support and maintain', and there we are strict about the dependencies, mirroring, updating, and testing them. There's a dependency that sees a major release? Good for them, they aren't in the repository until they get tested. The users of the yum/apt get priority support-wise because it's much less variation to contend with and sort out.

    If a developer wants to build something themselves and grabs it from the CPAN/PyPI/whathaveyou, I let them get the 'latest and greatest' knowing that they are better enabled to cope with the risk and sort through. The hope is that they would, in turn, do the appropriate effort to make a *supportable* distribution of their project, but if they don't, it's on them rather than me.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  12. Re:time to spread? by slashdice · · Score: 2

    Remember those ads from the 80s and 90s about how sleeping with one person is like sleeping with all the people they slept with? Node and NPM are like that, if you slept with Charlie Sheen. It's like everybody is having a contest to see how many dependencies they can require. Who knew it takes 3 dependencies to figure out if a number is positive?

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  13. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 2, Interesting

    Capable, yes, in that it executes code, the best option, pretty much never.

    I take a polyglot approach to backend development and I've yet to find a case where node.js was actually the best tool. This is not user preference, this is understanding the tools you use. I've yet to find anyone using node.js who is competant in more than just javascript.

  14. Re:Why the Javascript hate here? by leptons · · Score: 2

    You're the only other sane person in this thread. I know this is slashdot, and it's full of anti-javascript hatred to it's core, but all these comments overlook that this isn't a javascript problem, this is a package manager problem which other languages also have. Nothing about this is really specific to javascript at all, but it's an all-too-convenient reason to bash javascript yet again in an online forum that has jumped the shark many years ago.

  15. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 4, Interesting

    Your comments read like a confused mess. It saddens me they have both been modded so highly. But ill informed JS hate has always ridden high in these parts.

    Firstly, neither Javascript nor Node do anything you describe, and laying the accusations solely at the feet of Javascript itself is just laughable. Like blaming paper for having had a bad novel printed on it. Javascript is just code, a bunch of text files sitting in a directory. Node processes/runs that code when you tell it to. It'll either exit out on completion or keep going if that's what you've set up your code to do. That's it.

    The problems you describe are with a third entity, Node Package Manager (NPM) which, while now included with Node, is not Node, does not run when Node does and is merely a tool you can choose to use (or, apparently, abuse) as you see fit to install and manage external (or even internal) packages. Those packages in turn are again just Javascript - text files sitting in a directory that will be processed by Node if your code calls that dependency.

    I have no desire to explain out further basics of NPM, but needless to say my experience has been, of course, entirely different to what you describe. NPM is not some rampaging beast updating shit behind your back without telling you (unless you actually are running NPM directly on your production servers - in which case, shame on you). The symptoms you describe actually suggest the opposite. Someone changed the packages.json file and everyone else failed to run npm to update the local packages to match after getting latest. So you all went out of sync with whoever made that change. That's a failure in your deployment and testing strategies, nothing more.