Node.js Package Manager’s Exploitation can Let Other Malicious Packages Execute Code

An easy way to restore packages back onto certain computer or server is by using Node.js Package Manager (NPM) that facilitates the same packages to be utilized within coding projects. The method is well-designed, fast and convenient, and that is the reason that makes the majority of JavaScript creators to adopt it.

However, as per Sam Saccone Software Engineer of Google, if NPM designing is flawed it can let an attacker wreak havoc within the whole environment of JavaScript.

People involved in the NPM experiment recently admitted security flaw in their method that could help execution of random code by malicious packages on developers' machines resulting in the creation of never-like-before NPM worm. Saccone published the vulnerability report VU319816 named "npm fails to restrict the actions of malicious npm packages," elaborating the measures required for developing a worm as also for letting it disseminate automatically. Albeit there was a report about this during January 2016, people knew about the problem from the very first issuance of repository manager of NPM.

The described codes are run taking aid of the end-user's latest privileges that could be system/root on certain OSs. The problem is familiar to all; however, Saccone tried issuing an alert of it, as it could happen with further package managers too.

NPM abuses the said codes for doing client-side execution in addition to build-time authentication at the time a client downloads and employs modules. For instance, the resolution of the left-pad debacle happened with the modules' republication; but with an infected code within the just mentioned widely-employed module it could become really possible to execute code on innumerable systems. Infoq.com posted this, March 26, 2016.

An extremely easy attack is what Saccone has elaborated i.e. one simple worm malware. The attack begins by using one fake npm package that includes malevolent script apart from some genuine features for luring more developers towards utilizing the same.

Any developer coming across the malicious npm and finding its genuine feature useful will do the "npm install" for his project. The aforementioned lifecycle scripts can perform malevolent activity on the tainted device utilizing whole rights of the end-user.

» SPAMfighter News - 4/1/2016