Liran Tal

Developer Advocate at Snyk

Malicious Modules on npm

A Series of Unfortunate Events

@liran_tal

@liran_tal

github.com/lirantal

Liran Tal

Developer Advocate

npm's Heavy reuse

Spring web framework

10 transitive dependencies

Express web framework

47 transitive dependencies

src: https://snyk.io/opensourcesecurity-2019

The Biggest Repository

Invites big risks

Lucrative attack playground

Open and free-to-publish ecosystem

Difficult to counter-measure

- Disconnect between SCM and Registry

- Commiter !== Publisher

676,539 packages for 199,327 maintainers

stat of the day

~4.5 packages/maintainer average ratio for 2018

@liran_tal

stat of the day

a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies

@liran_tal

stat of the day

transitive dependencies of an average package has increased to a staggering 80 in 2018

@liran_tal

stat of the day

the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages

@liran_tal

some popular packages reach more than 100,000 other packages via
direct or transitive depenencies

stat of the day

the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages

@liran_tal

event-stream reached 5,466 packages when it was compromised and it's not even considered "top" influence

stat of the day

@liran_tal

to adjust to devDependencies which event-stream targets, its reach is now computed at 100,000 other packages, only 347 packages far from the top

stat of the week

@liran_tal

for the majority of the time the reach of vulnerable unpatched code is between 30% and 40% is alarming.

stat of the week

@liran_tal

a sign of a healthy security community that reports vulnerabilities at a very good pace, keeping up with the growth of the ecosystem

(Zimmermann, Staicu, Tenny, Pradel, 2019)

http://software-lab.org/publications/npm_study_arXiv_1902.09217.pdf

Typosquatting Attacks

Compromised Accounts

Social Engineering

Malicious Modules

time

Jan 2015

rimrafall

research paper

Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

$ npm install crossenv --save

crossenv != cross-env

crossenv/package.json

crossenv/package-setup.js

coffescript or coffe-script

coffeescript

src: https://snyk.io/vuln

How did we find out about this malicious crossenv package?

post-install script ✅

call-home base64 payload ✅

research paper

Highly popular packages directly or indirectly influence many other packages (often more than 100,000) and are thus potential targets for injecting malware.

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

parse http headers for cookie data

or does it... ?

getcookies

http-fetch-cookies
└── express-cookies
└── getcookies

getcookies

mailparser

└── http-fetch-cookies
└── express-cookies
└──getcookies

Reset the buffer

Load JavaScript code

Execute code

Observation 1

security by code review has to be on-point ALL THE TIME, where-as attackers only have to get lucky ONCE

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

eslint-scope 3.7.2

malicious package published

What's going on?

Who depends on eslint-scope?

babel-eslint

eslint

webpack

npm invalidates all tokens

<= 2018-07-12

estimated potential ~4,500 accounts were compromised

Observation 2

eslint-scope published an npm package, but actors had no github repository access so the source code varied between github and the published npm package

How does something like this happen?

Compromised Contributors ?

14%

compromised npm modules

Compromised Contributors ?

src: https://github.com/ChALkeR/notes

Compromised Contributors ?

20%

npm total monthly downloads

express

react

debug

moment

request

Compromised Contributors ?

662

users

123456

had their password set to

Compromised Contributors ?

1409

users

had their password set to

their username

Compromised Contributors ?

11%

users

had their password set to

previously leaked password

Compromised Contributors ?

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

event-stream

Nov 2019

src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor

Observation 3

due to the increased use of transpilers, reviewing and comparing source code between actual source to distributed is a real problem

Dependency Management

(CC BY-NC-SA 2.0)

Common Security
Vulnerabilities

Command Injection

The npmjs Ecosystem

Silver Linings in
Node.js Security

react-native

reactnative

rea-ct.native

react_native

@lirantal/rea-ct.native

Fighting Typosquatting

Package Moniker Rules

Fighting Typosquatting

JSONStream != jsonstream

Package Moniker Rules

Package Publishing Notifications

Enable 2FA
since npm >= 5.5.1

$ npm profile enable-2fa

2FA successfully enabled. 
Below are your recovery codes,
please print these out.

- auto release ?

- tokens are global for all packages

- npm recommends creating a 2nd user

Enable 2FA
caveats 😞

Devs Take Ownership

for App Security

Source: The State of Open Source Security Report 2019, Snyk

https://snyk.io/opensourcesecurity-2019/

Find vulnerabilities in
open source dependencies

What if security was easier?

What if security was actionable?

Node.js Security Working Group

Silver Linings in
Node.js Security

The Security WG

Improving the state of Node.js Security

Incident response for Node.js core and the npm ecosystem

Security disclosure policies for bug hunters

Maintain a public vulnerability database

The Security WG

Uninitialized Buffer

base64url

|

2,000,000

|

XSS Injection

react-svg

|

130,000

|

Path Traversal

serve

|

564,000

|

ReDOS

protobufjs

|

7,200,000

|

monthly downloads

01 Malicious modules & compromised accounts

02 |

03 |

Common Security Pitfalls in Node.js

Developer awareness,
Fix vulnerabilities in your open source libs,
Node.js Security WG

Black Clouds & Silver Linings
in Node.js Security

|

@liran_tal

github.com/lirantal

Liran Tal

Developer Advocate at Snyk

Malicious Modules on npm

A Series of Unfortunate Events

Liran Tal

Developer Advocate

npm's Heavy reuse

Spring web framework

10 transitive dependencies

Express web framework

47 transitive dependencies

The Biggest Repository

Invites big risks

Lucrative attack playground

Open and free-to-publish ecosystem

Difficult to counter-measure

- Disconnect between SCM and Registry

- Commiter !== Publisher

676,539 packages for 199,327 maintainers

stat of the day

~4.5 packages/maintainer average ratio for 2018

stat of the day

a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies

stat of the day

transitive dependencies of an average package has increased to a staggering 80 in 2018

stat of the day

the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages

some popular packages reach more than 100,000 other packages via direct or transitive depenencies

stat of the day

the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages

event-stream reached 5,466 packages when it was compromised and it's not even considered "top" influence

stat of the day

to adjust to devDependencies which event-stream targets, its reach is now computed at 100,000 other packages, only 347 packages far from the top

stat of the week

for the majority of the time the reach of vulnerable unpatched code is between 30% and 40% is alarming.

stat of the week

a sign of a healthy security community that reports vulnerabilities at a very good pace, keeping up with the growth of the ecosystem

Typosquatting Attacks

Compromised Accounts

Social Engineering

Malicious Modules

Malicious Modules

time

rimrafall

rimrafall

Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface

Malicious Modules

time

rimrafall

crossenv

crossenv != cross-env

coffescript or coffe-script

coffeescript

How did we find out about this malicious crossenv package?

post-install script ✅

call-home base64 payload ✅

Highly popular packages directly or indirectly influence many other packages (often more than 100,000) and are thus potential targets for injecting malware.

Malicious Modules

time

rimrafall

crossenv

getcookies

getcookies

parse http headers for cookie data

or does it... ?

getcookies

getcookies

Reset the buffer

Load JavaScript code

Execute code

Observation 1

security by code review has to be on-point ALL THE TIME, where-as attackers only have to get lucky ONCE

Malicious Modules

time

rimrafall

crossenv

getcookies

eslint-scope

eslint-scope 3.7.2

malicious package published

some popular packages reach more than 100,000 other packages via
direct or transitive depenencies

Common Security
Vulnerabilities

Silver Linings in
Node.js Security

Enable 2FA
since npm >= 5.5.1