News Report: Manifest Confusion Vulnerability in NPM
Last week, Darcy Clark, a former development manager at GitHub and NPM, raised concerns within the developers’ community about the issue of “confusion in manifestos,” which can pose a risk of hidden harmful software or manipulated scripts during installation.
The vulnerability of “Manifest Confusion” highlights a safety problem in the NPM repository. It occurs when the data manifesto displayed on the NPM packet page does not match the data present in the Package.json file.
As a result of these inconsistencies, potential attackers can manipulate the data of loaded packages by removing certain scripts or dependencies. These modifications may not be visible on NPM, but they are still present in the packages themselves.
This vulnerability exposes many developers to various risks, including cache pollution, the installation of unknown dependencies, the execution of unknown scripts, and potential attacks through version downgrading.
Given that NPM has not yet addressed this issue, and it is uncertain whether the platform plans to do so, Clark suggests that package developers remove dependencies on the manifest data and use the proxy register to verify data consistency. Although this solution is not the most convenient, it is currently the only known working and safe option.
However, system administrator and white hacker Felix Pankratz has released a Python-based tool to assist developers in quickly checking NPM packages for inconsistencies. This tool can be found at https://felixpankratz.de/.
To use the tool, developers need to first install the Python PIP package manager by running the command “Pip Install -r Requirements.txt.” They can then check a package by passing its name as the first argument to the script. For example, “$./Npm-manifest-check.py darcyclarke-manifest-pkg.” The tool will identify any inconsistencies in the version, dependencies, scripts, and package name between the manifest and the actual Package.json file.
To check multiple packages, developers can add them to the “Packages.list” file (one package per line) and use the “Check_packages.sh” shell script for verification. The tool will report any inconsistencies found in each package. Developers can obtain a certification guide