[ad_1]
A “logic flaw” in the npm registry allowed the authors of malicious packages to silently add anyone and any number of users as “maintainers” of their packages in an attempt to increase trust in their packages.
The GitHub-owned repository of NodeJS components has now fixed the flaw after cloud-native security company Aqua responsibly reported the issue.
Package Planting – Add any popular developer or company as a maintainer
A security flaw in the npm registry, dubbed ‘package planting’, allowed threat actors to silently add none developer (and any number of them) as ‘maintainers’ of their malicious packages.
“Until recently, npm allowed anyone to be added as a package maintainer without notifying these users or obtaining their consent,” explains Yakir Kadkoda, security researcher at Aqua’s Team Nautilus.
The measure would not notify or require any approval of the person or company that is added as the maintainer of an illicit package.
To make matters worse, after adding other maintainers to his malicious package, the attacker could silently remove himself from the list of package maintainers, now leaving only new maintainers in the package that have nothing to do with him.
A technique like this can be extremely lucrative for a threat actor looking to lend credibility to their malicious components.
By adding trusted developers and popular companies as maintainers of their malicious packages, attackers have a much better chance of tricking developers into installing their packages without raising an eyebrow.
To better demonstrate the concept, Kadkoda published a test package, ‘fb_npm_package’ in the registry, initially with its npm demo account as the sole maintainer of the package.
The official Facebook (Meta) and npm accounts were then added to the list of project maintainers by the researcher, and were later removed.
Anyone visiting the ‘fb_npm_package’ npm page will now perceive that ownership of the package includes Facebook and npm exclusively, which is very misleading.
In March 2021, as reported by BleepingComputer, security researcher Alex Birsan also applied a use case of the technique to get his fake test package listed on the official Microsoft Azure SDK site.
“Since you could assign poisoned packages under any popular maintainer, we call this logical flaw and its implications ‘package planting,'” the Aqua researcher writes in a report published this week.
Of course, source code control systems like GitHub allow some room for jokes where code commits can be submitted on behalf of anyone; some have made mock commits over and over again that seem to come from the creator of the Linux kernel, Linus Torvalds. But, cryptographic features like GPG signing make it possible to authoritatively sign code commits and remove any doubt as to their origin.
However, things get more complicated when changing the full ownership and maintainer list of a project, also in a software registry designed to ship finished packages, not source code.
A matter of reputation, not just security
Kadkoda emphasizes that, in addition to being a security flaw, a technique such as “package planting” can be abused by adversaries to tarnish the reputation of well-respected developers in the community.
“If the attacker carefully chooses these future maintainers, it will affect the reputation and appearance of the package,” says Kadkoda.
“For example, the lodash package is very popular and credible. If we add its owners Mathias, jdalton, and bnjmnt4n to a new malicious package, many developers may fall into the trap of thinking that this package is legitimate and even attractive.”
If npm detects the malicious package later, one plausible scenario that comes to mind is that the registry potentially suspends the accounts of “new” maintainers who are wrongly perceived to be in violation of platform policies.
Kadkoda eventually removed their test package from npm and reported the bug to npm.
An archived copy of ‘fb_npm_package’ obtained from the open source security company Sonatype of which I am a part, shows that the package is clean and does not contain any working code, just a manifest file:
But, an opportunistic threat actor can accomplish much more with a flaw like “packet planting.”
Even without such flaws, attackers have been able to repeatedly poison open source repositories: npm, PyPI, and RubyGems, with malicious packages that get thousands of downloads.
A technique like this would further empower threat actors to add an important stamp of legitimacy to their malicious and illicit packages.
Aqua reported its findings to GitHub’s HackerOne bug bounty program on February 10 and received recognition on the 13th.
On April 26, GitHub fixed the flaw in npmjs.com and introduced security measures:
Inviting a new maintainer to your npm package now asks them to approve their request before it can be added to your project.
There is no longer any way to replicate the issue in npm, nor any indication so far that threat actors actively exploited the technique.
Regardless, Kadkoda warns existing developers to double check projects listed in their npm account:
“npm users should verify that all packages that appear under their name really belong to them, to ensure that they were not added to any project without their consent,” concludes the researcher.
Update Apr 28 08:14 ET: Added reference to Alex Birsan demonstrating a use case for the technique in 2021.
[ad_2]
