ARN

WhiteSource report warns of NPM registry risks

Provider of open source vulnerability scanning software finds malicious packages on widely used JavaScript package registry.

The popular NPM registry of JavaScript packages was described as a playground for malicious actors by software scanning services provider WhiteSource Software, which has published a report of its vulnerability analysis of the registry.

The WhiteSource research report, released Februay 2, was based on data culled using the WhiteSource Diffend malware detection platform. WhiteSource said it has reported more than 1,300 malicious packages to NPM in the past six months. 

Malware subsequently removed by NPM was found to be stealing both credentials and cryptocurrency and running botnets, said WhiteSource. 

The company said that nearly 14 per cent of the malicious packages detected were designed to steal sensitive information such as credentials present in environment variables. While attackers using malicious packages often do not target particular companies or entities, some packages were designed to target certain systems.

Note that NPM does contain nearly two million packages, so 1,300 malicious packages amounts to significantly less than one percent. 

WhiteSource described NPM as the most widely used package manager of any language, with the number of packages in the registry having grown from 1.3 million in April 2020 to more than 1.8 million today. Some 32,000 new packages were published monthly in 2021, according to WhiteSource.

The NPM registry has had some noteworthy issues pertaining to dependencies. In January, malicious code was committed to the Faker and Colors libraries, impacting thousands of projects. GitHub, which oversees NPM, removed the packages and suspended the user account. And in 2016, the unpublishing of a small JavaScript package broke multiple dependencies.