Menu
WhiteSource report warns of NPM registry risks

WhiteSource report warns of NPM registry risks

Provider of open source vulnerability scanning software finds malicious packages on widely used JavaScript package registry.

Comments
Credit: Roman Samborskyi / Shutterstock

The popular NPM registry of JavaScript packages was described as a playground for malicious actors by software scanning services provider WhiteSource Software, which has published a report of its vulnerability analysis of the registry.

The WhiteSource research report, released Februay 2, was based on data culled using the WhiteSource Diffend malware detection platform. WhiteSource said it has reported more than 1,300 malicious packages to NPM in the past six months. 

Malware subsequently removed by NPM was found to be stealing both credentials and cryptocurrency and running botnets, said WhiteSource. 

The company said that nearly 14 per cent of the malicious packages detected were designed to steal sensitive information such as credentials present in environment variables. While attackers using malicious packages often do not target particular companies or entities, some packages were designed to target certain systems.

Note that NPM does contain nearly two million packages, so 1,300 malicious packages amounts to significantly less than one percent. 

WhiteSource described NPM as the most widely used package manager of any language, with the number of packages in the registry having grown from 1.3 million in April 2020 to more than 1.8 million today. Some 32,000 new packages were published monthly in 2021, according to WhiteSource.

The NPM registry has had some noteworthy issues pertaining to dependencies. In January, malicious code was committed to the Faker and Colors libraries, impacting thousands of projects. GitHub, which oversees NPM, removed the packages and suspended the user account. And in 2016, the unpublishing of a small JavaScript package broke multiple dependencies.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

ARN Innovation Awards 2022

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

EDGE 2022

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.

Show Comments