Study Reveals Discrepancies in NPM Registry Leading to Potential Security Threats
A recent study by JFROG has uncovered over 800 packages in the NPM registry that have discrepancies between the information provided in the package itself and their actual contents. Some of these packages are utilizing the Manifest Confusion technique to deceive developers and conceal malicious code within the package.
The issue of MANIFEST MANIFEST ConFUSION, also known as MANIFETS A Confusion, was first identified in June 2023 by security researcher Darcy Clark. This discovery highlighted how inconsistencies between the manifest and metadata could be exploited for attacks on the software supply chain.
One of the main concerns is that the NPM registry does not verify if the manifest file in the archive (Package.json) matches the manifest data provided by the NPM server during the package publishing process.
This vulnerability allows attackers to replace the manifest with hidden dependencies that are then installed invisibly along with the package, introducing malicious elements into the developer’s system.
JFROG’s report reveals that out of the 800 packages with discrepancies, 18 of them are suspected to have been crafted with malicious intent. While many of the inconsistencies are due to protocol specification differences or scripting section variations, some packages are deliberately created for harmful purposes.
For example, a package named “Yatai-Web-UI” is designed to send an HTTP request to the server, providing information about the IP address of the machine where the package is installed.
Although there have been no reported instances of attackers exploiting this vulnerability for data tampering, developers are urged to remain vigilant to safeguard their systems and protect the software supply chain.
JFROG researchers emphasize that organizations should not solely rely on the appearance of packages on the NPM platform as an indicator of their safety. It is crucial for organizations to implement rigorous procedures for verifying the security of all packages used by developers, specifically to detect any hidden dependencies that may pose a security risk.