BT

Last Npm Incident Uncovers Security Vulnerability

| by Sergio De Simone Follow 11 Followers on Jan 15, 2018. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string, to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.

According to the official report, the root cause of the incident was the mistaken decision to remove the user named "floatdrop" and make all of their packages undiscoverable and blocked. This decision was driven by the publication of a package containing spam that also included the README for floatdrop’s legitimate package timed-out. Due to the matching READMEs, npm’s anti-spam system flagged floatdrop as associated to the spammer, which later led to the removal of the user and all of their packages.

The npm staff was quick to discover that floatdrop was indeed a legitimate user and that some of their packages were highly used, and acted promptly to restore them all. In the short time required for this, though, a number of packages with the same name as those removed had been published and installed an unspecified number of times.

While the npm staff confirmed that all of those replacement packages were not malicious, this kind of incident could have been exploited to inject malicious code in npm users’ projects. It is important to notice that npm does have indeed a policy in place to prevent packages to be deleted later than 24 hours after their publication with the aim to make it impossible to reuse their names, but this policy was not previously applied to packages deleted for spam. This was based on the rationale that spammers should not be able to prevent legitimate names from being used.

In response to this incident, the npm staff took a number of steps, the most important of which was to implement a 24-hour cooldown on republication of any deleted package name, including packages containing spam content. This effectively makes it much harder to inject malicious code by replacing a deleted package, but requires the npm staff to act within a 24-hour window to restore any legitimate package name before someone attempts to reuse it.

Additionally, the npm staff will establish a number of guidelines to make it more unlikely that legitimare packages are mistakenly removed. You can read more about them in the original post.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT