“A npm package’s manifest is published independently from its tarball,” Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. “Manifests are never fully validated against the tarball’s contents.”
“The ecosystem has broadly assumed the contents of the manifest and tarball are consistent,” Clarke added.
The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch.
As a result, a threat actor could exploit this loophole to publish a module with a manifest file (package.json) that contains hidden dependencies as well as run install scripts, which could then pave the way for a supply chain attack and the poisoning of a developer’s environment.
images from Hacker News