Recent Npm incidents have exposed Security Vulnerabilities
Recently, the npm registration database experienced an O & M accident, causing some highly dependent packages to become unavailable, suchRequire-from-string
. Although this accident is very easy to fix, it exposes a serious security vulnerability that can be exploited to inject malicious code into projects using npm.
According to the official report, the root cause of this accident is that users named "floatdrop" are mistakenly removed and their packages cannot be searched and downloaded. The reason for this decision is that a package containing spam software is released, which also contains a valid package of floatdrop.Timed-out
README. Because it matches README, the npm Anti-Spam system marks floatdrop as a garbage package, which then causes the removal of users and all their packages.
Npm quickly found that floatdrop is indeed a legitimate user, and some of their packages are highly used, so they immediately took action to restore all the packages. However, some new packages with the same name as the deleted package were released within the short time required by this process, and the number of packages was unknown.
Although npm employees confirm that all these uploaded replacement packages are not malicious, such events may inject malicious code into npm users' projects. It should be noted that npm does have a policy to prevent packages that have been released for more than 24 hours from being deleted. The purpose is to prevent others from reusing the package names, however, this policy has not been applied to the deletion of junk software packages. The reason for this is that you do not want the spam software to impede the use of legal names.
In response to this incident, npm employees have taken several measures. The most important of these measures is to take a 24-hour cooldown time for all deleted package names, this policy also includes Packages containing junk content. In this way, it is more difficult to inject malicious code by replacing the deleted package, but if someone tries to reuse the valid package name, this requires npm employees to restore the package name within the 24-hour time window.
In addition, npm employees will establish a series of guidance documents to make it more difficult to delete valid package names by mistake. Readers can learn more in their original blog posts.
Last Npm Incident Uncovers Security Vulnerability