back to article Typo-squatting NPM software supply chain attack uncovered

Researchers at ReversingLabs have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages picked up via NPM. NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years (from authorization problems in 2021 to credential problems this …

  1. Anonymous Coward
    Anonymous Coward

    flat namespace is type squatting friendly.

    The predominantly used flat NPM namespace aggravates this problem.

    In fact NPM allows a two level namespace <account name>/<package name>

    but that is rarely enough used that using it, without also ensuring the rhs <package name>

    is unused and claiming it, would be an invitation for a hacker to do so. Therefore,

    most developers won't bother with the account name.

    IMO - what NPM should do at a minimum is to require all new packages to include the <account name> component.

    NPM might also require a two or three character distance difference between any new account and any existing one.

    1. Anonymous Coward
      Anonymous Coward

      Re: a two or three character distance difference

      Or perhaps add a sort of npm-mandated checksum to the name? E.g. project "banana" would be given the npm name/ be published as e.g. "banana_df3e", where the "df3" was generated from banana. Thus typosquatting project "banama" might be published by npm as e.g. "banama_a136" ... and "bamana" as "bamana_5fa8"

      Hmm. A bit ugly, I suppose.

      1. Anonymous Coward
        Anonymous Coward

        Re: a two or three character distance difference

        Interesting, and it would work for some users - but others might just ignore the suffix completely and only look at the left hand side. Or auto completion might be used to fill in the rhs.

    2. veti Silver badge

      Re: flat namespace is type squatting friendly.

      Surely all that would do is move the attack up a level. Put the typo in the account name, then the package can have the name spelled correctly.

      How about an automated check for names that were very similar to existing ones, triggering a deeper review of the content being posted?

    3. John Brown (no body) Silver badge

      Re: flat namespace is type squatting friendly.

      "NPM might also require a two or three character distance difference between any new account and any existing one."

      I'd think that would the best option as a first choice, primarily because it will also preclude accidental typos from happing in many cases, let alone malicious one. Something that should be fairly easy to block programmatically, at least for new names. There will be cases of people wanting a very similar name, but that should be limited, in the first instance, to those people who already own the original name. Of course, enforcing this properly will also require more humans to check and arbitrate for genuine name clashes and that costs money so it either won't happen or it will be entirely automated leading to disastrous "unforeseen" consequences.

  2. Anonymous Coward
    Anonymous Coward

    Why is obfuscated code allowed in NPM?

    I can't see any reason why NPM should accept obfuscated code in the first place. All code should be open for easy inspection.

    1. Missing Semicolon Silver badge

      Re: Why is obfuscated code allowed in NPM?

      Then we end up in an arms race between obfuscators and obfuscation detectors.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like