“npm package manifests are published independently of their tarballs,” Darcy Clarke, former GitHub and npm engineering manager, said in a technical write-up published last week. “The manifest is never fully validated against the contents of the tarball.”
“The ecosystem widely considers the contents of manifests and tarballs to be consistent,” adds Clarke.
The problem, at its core, stems from the fact that manifest and package metadata are separated and that they are never cross-referenced with each other, leading to unexpected behavior and abuse when there is a mismatch.
As a result, threat actors can exploit this vulnerability to publish modules with manifest files (package.json) containing hidden dependencies and run installation scripts, which can then pave the way for supply chain attacks and poisoning of the developer environment.
“Obvious obfuscation becomes a problem in development environments without effective DevSecOps workflows and tools, especially when applications blindly trust application manifests rather than actual (vulnerable or malicious) files contained in open source packages,” researcher and journalist Sonatype Ax Sharma said.
This finding underscores the fact that metadata contained in package manifest files alone cannot be relied upon when downloading packages from open source repositories, requiring users to take steps to scan packages for each anomalous feature and exploit.
GitHub, per Clarke, is said to have been aware of the issue since at least as early as November 2022, with the Microsoft subsidiary stating plans to address it internally by March 2023. However, the issue remains unresolved to date.
In the absence of an official fix, security researcher Felix Pankratz has provided a Python script which can be used to test for a mismatch between manifests in an npm module.
The development also comes as developer security firm Snyk, in partnership with Redhunt Labs, checks out 11,900 repositories from Top 1,000 GitHub organizations for unsafe dependencies, uncovered 1,229,601 flaws in 15,584 vulnerable dependency files.
“Untrusted data deserialization is the most common type of vulnerability with 130,831 occurrences in the Java repository, making up 40 percent of the total identified vulnerabilities,” the study said.
“Dependency threats that are vulnerable to disrupting the security state of software supply chains will remain,” said security researchers Umair Nehri and Vandana Verma Sehgal. “So developers should be careful with the dependencies they use in their projects and keep them updated to keep them patched from known vulnerabilities.”