Select Page

The npm registry for the Node.js JavaScript runtime environment is susceptible to what’s called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.

“A npm package’s manifest is published independently from its tarball,” Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. “Manifests are never fully validated against the tarball’s contents.”

“The ecosystem has broadly assumed the contents of the manifest and tarball are consistent,” Clarke added.

The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch.

As a result, a threat actor could exploit this loophole to publish a module with a manifest file (package.json) that contains hidden dependencies as well as run install scripts, which could then pave the way for a supply chain attack and the poisoning of a developer’s environment.

images from Hacker News