Cloud Security, Endpoint/Device Security

Manifest confusion in NPM packages identified by novel tool

Manifest confusion issues in NPM packages which could raise malware distribution risk could be discovered by a new Python-based tool developed by sysadmin Felix Pankratz, reports BleepingComputer. New packages' manifest data could be altered by threat actors to remove dependencies so as not to appear in the NPM registry but would still be executed upon the installation of the package, which may result in cache poisoning, downgrade attacks, and other types of compromise, noted former GitHub and NPM Engineering Manager Darcy Clarke. However, such inconsistencies could be detected by software developers with the new tool, which could be used after installing PIP Python package manager with "pip install -r requirements.txt." Inspections to determine any mismatches could then be performed by inputting the package name as the script's initial argument. Developers could also conduct inspections in bulk by adding the packages to a single "packages.list" file and leveraging the "check_packages.sh" wrapper script.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.