Description
A recent discovery from the cyber security firm JFrog related that an unexpected behaviour in npms Command Line Interface (CLI) can lead to developers potentially installing packages with critical vulnerabilities or malware on their systems.
Summary
npm is a package manager for the JavaScript runtime environment Node.js. It consists of the command line interface, and an online database of public and paid-for private packages, called the npm registry. The npm CLI client has built-in install and audit commands that check packages and all their dependencies for known vulnerabilities which acts as a warning mechanism for developers installing packages on their devices. However, the problem arises as an unexpected behaviour occurs when the npm install or npm audit fails to display security advisories for packages that feature certain version formats.
The npm client allows for a strict version format that conforms to Semantic Versioning and must be parsable by node-semver. The standard version format for packages is Major.Minor.Patch, for example version 1.2.3. However, pre-release versions can be specified by appending a hyphen immediately following the patch version, for example version 1.2.3-a. The problem appears to be the hyphen in the pre-release version format that causes the node-semver to not return any security advisories even though there might be vulnerabilities. JFrog established this by testing a package called crudd1 where installing the crudd1 version 2.0.0 showed a critical vulnerability (CVE-2022-36084) and installing the pre-release version crudd1 version 2.0.0-update.2 showed no vulnerability even though it is present in the package.
The inconsistency between regular npm package versions and pre-release versions is seen as an intended functionality but it also paves the way for attackers to exploit this behavior. Malicious or vulnerable code could be intentionally planted in the pre-release versions of packages and will be able to bypass the npm CLI security check.
Remediation
To circumvent this issue, users are advised to never install npm packages with a pre-release version, unless the package is coming from an extremely reputable source. Even so, it is recommended to revert to a non-pre-release version of the package as soon as possible.
The following commands can be used to determine if you have a npm package with a pre-release version:
For Linux: npm list -a | grep -E @[0-9]+.[0-9]+.[0-9]+-
For Windows: npm list -a | findstr -r @[0-9]*.[0-9]*.[0-9]*-
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: An unusual behaviour in npm can cause malicious libraries to evade security checks.pdf
References
Lakshmanan, R. (2022, November 30). Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection. Retrieved from The Hacker News. https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html
Peles, O. (2022, November 29). Invisible npm malware evading security checks with crafted versions. Retrieved from JFrog. https://jfrog.com/blog/invisible-npm-malware-evading-security-checks-with-crafted-versions/