Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Discovered On Node.js Package Manager npm (softpedia.com)

Posted by timothy on from the found-by-the-good-guys dept.

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

3 of 90 comments (clear)

  1. Re:Why would anyone use JavaScript?! by i.r.id10t · · Score: 5, Insightful

    Aside from that, why are libraries pulled in dynamically from the intertoobs on a production server? Why aren't the libraries packaged like Perl CPAN stuff, or PHP PEAR stuff, to be downloaded (and signature verified?) to the server or dev machine and accessed only locally? Heck a tar.gz file with a posted list of hash sums would be more secure. This is all old hat stuff that has been solved in multiple ways, no reason at all for it to be an issue now.

    --
    Don't blame me, I voted for Kodos
  2. Javascript and security? by Anonymous Coward · · Score: 5, Insightful

    Wait... there are people who run Javascript code, on a server, as root? Untrusted Javascript code they don't control to boot? Uhhh, wow.

  3. Not really. Javascript breaks production by raymorris · · Score: 5, Interesting

    I don't think this is really applicable to any other language. With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

    With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production. You never see, never mind test, the code before it runs on your production systems. With any other language, you'd upgrade production to a known, vetted version only occasionally. If there was an issue the community hadn't already caught, hopefully you would catch problems in testing.

    We saw a similar problem last week - somebody removed their package from the repository and that broke everyone's production systems.

    This approach may sound insane. Because it is.