The potential of malware lurking in dependencies or running scripts during installation was highlighted last week by Darcy Clarke, a former technical manager at GitHub and NPM, who issued a warning about “manifest confusion” issues.
The discrepancy between a package’s manifest data as seen in the NPM registry and the data included in the published package’s ‘package.json’ file is what causes the issue.
A malicious actor might alter a new package’s manifest data to remove specific dependencies or scripts so they do not show up in the NPM registry.
The package.json file would still contain these scripts or dependencies, and they would be run without the user’s knowledge during installation.
Developers might be at danger from this issue for things like cache poisoning, installing unknown dependencies, running unfamiliar scripts, and perhaps even downgrade assaults.
Clarke recommended that package maintainers stop relying on manifest data and utilize a registry proxy to carry out data integrity checks because GitHub has not yet addressed the issue and it is unclear what the platform plans to do.
Manifest confusion checker
Software developers can use a Python-based tool created by system administrator Felix Pankratz to check the NPM packages for inconsistencies while a fix is being applied.
Install the PIP Python package management first to use the program by typing “pip install -r requirements.txt.”
Give the script the package name as the first input to inspect a single package. For instance:
$ ./npm-manifest-check.py darcyclarke-manifest-pkg
The output will highlight any mismatches in the version, dependencies, scripts, and package name between the manifest and the actual package.json file.
For a package without any mismatches, the output should look like this:
$ ./npm-manifest-check.py color
No mismatch detected for color.
Developers can include numerous packages in a “packages” for inspection. list’ file, one package per line, then run the wrapper script ‘check_packages.sh’ to verify them. Any mismatches discovered on any of the packages being examined will be reported by the utility.
To understand all aspects of the usage of Pankratz’s tool, check the help command with:
Manifest confusion is not a widespread or critical problem in the NPM community right now, but ignoring it is not the safe way to go as threat actors could start using it for supply-chain attacks.