NPM had a challenging year, to put it lightly. A series of high-profile incidents resulted in headaches for system administrators, as a combination of third parties abusing the NPM platform as well as bad deployments from the NPM team themselves caused adverse effects.
In February, with the release of version 5.7.0, running sudo npm resulted in file permissions being reset across the filesystem, breaking NPM and practically anything else that requires file permissions to work. For people accustomed to semantic versioning practices, 5.7.0 would imply that the version would be safe to install. However, that version, and 5.7.1 that patched the sudo bug, are both prerelease versions, despite there being no indication in the version string or in the release announcement that this is the case.
In July, the NPM credentials of a maintainer of the eslint-scope package were compromised, leading to the release of a compromised version, which downloads and executes code from Pastebin. That code, in turn, scrapes affected systems for the .npmrc file, which contains access tokens for publishing to NPM. To their credit, the NPM team invalidated all existing tokens and unpublished the update in a matter of hours.
SEE: Research: The current state and predictions for the future of blockchain in the enterprise (Tech Pro Research)
In November, a hacker socially engineered their way into getting control of the event-stream package, offering to take it over from the original author, who lacked the time and interest to continue development. The malicious package maintainer, Right9ctrl, inserted obfuscated code that activates when it is used inside Copay, a cryptocurrency wallet app developed by BitPay. According to our sister site ZDNet, the malicious code “will steal users’ wallet information, including private keys,” for the purpose of emptying their wallets.
While two of the three incidents are technically due to developers publishing on NPM, not the NPM team itself, they do have a responsibility to ensure the security of the platform. Within that ecosystem, dependency trees have a tendency to become massive as programmers import packages for trivial circumstances- such as padding left-leading David Gilbertson to note in this essay from January about living “in an age where people install npm packages like they’re popping pain killers.” Without relitigating the merits of the left-pad incident, changes are needed to make NPM more secure and reliable for use in enterprise deployments.
These plans include identifying known vulnerabilities and advanced reporting and visualization of dependency trees, in order to gain a better understanding of what is being used in deployment. In an earlier email with TechRepublic, NPM’s Jonathan E Cowperthwait noted that the team could improve security by “surfacing information about maintainer transfers,” and “driving use of two-factor authentication.”
Baldwin defended NPM’s present track record, noting that the event-stream issue-at the core of which is obfuscated code-is a “cat and mouse game” which is “difficult when you have 100,000 mice out there.” NPM is working on tools to improve detect the use of obfuscated code, though banning the use of outright is impractical, as “legitimate” use cases for obfuscation exist. However, in the case of malicious obfuscated code in event-stream, “We didn’t detect it, but nobody else did either,” Baldwin said.
Baldwin dismissed the issues with permissions, telling TechRepublic that “using sudo with NPM is an antipattern, and users should not do it,” adding that doing so is the “lazy way out of a problem.” The February issue-which resulted in file permissions reset across the filesystem-does not occur under the root user. NPM’s upgrade documentation notes that users on Linux “may need to prefix these [commands with sudo,” which is at odds with Baldwin’s claims. Cowperthwait claims that NPM discourages it, and points to documentation on how to reinstall to not need sudo.
Asked about the sanity of using a client-side language on the server in commercial deployments, Baldwin said that programmers adopt Node.js and NPM because of the lack of “context switching, developers love being able to use the same lang client-side as server-side,” adding that “We’re trying to make this the best package manager and ecosystem for enterprises as we can, and you’re definitely going to see a shift for that in 2019.”