New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an “unexpected behaviour” in the npm command line interface (CLI) tool.
npm CLI’s install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.
But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package’s dependencies.
Specifically, the problem arises only when the installed package version contains a hyphen (e.g., 1.2.3-a), which is included to denote a pre-release version of an npm module.
images from Hacker News