Exploiting typos with malicious intent: npm’s vulnerability
Recently published research from Checkmarx has shed light on a long-standing vulnerability in npm, the package manager for the JavaScript programming language. Since 2017, malicious actors have been able to use typosquatting to mimic legitimate npm packages by subtly changing the capitalisation of letters in their titles. npm’s registry initially failed to detect lowercase duplicates, until a recent patch was released over the weekend. Enterprises must ensure they check for any malicious packages they may have downloaded before the change occurred.
Understanding the risk
Typosquatting is a cybersecurity threat whereby criminals use subtle misspellings to copy legitimate web domains. Victims may, therefore, unwittingly download malware or otherwise have their system compromised. npm implemented a patch to tackle typosquatting in its registry back in 2017. However, the vulnerability remained for packages with capital letters in their titles, as there was no mechanism in place at that time to prevent new packages from mimicking them using lowercase letters.
According to Checkmarx’s research, they found 3,815 npm packages containing capital letters. 1,900 were identified as being at risk of lowercase typosquatting. The researchers named ‘objectFitPolyfill’ as an example of a package downloaded nearly 200,000 times weekly.
Risks and possible solutions
The risks of downloading rogue npm packages range from information theft to ransomware, cryptojacking and denial of service. Enterprises must check all their software for vulnerabilities and ensure security systems and robust package management policies are in place, to prevent malicious actors from targeting their systems. A supply chain problem must also be considered since packages can be embedded in software distributed by a supplier resulting in the infection of many other victims.
Aside from increased awareness of typosquatting, many tools from different vendors (including open source tools) can help mitigate the risk. For example, Overlay is a browser extension that enables developers to evaluate packages based on various metrics before downloading them, thus increasing security and reducing the chances of an incident occurring. It’s clear that the npm registry’s patch is a step in the right direction, but organizations should remain vigilant and implement robust measures to avoid cyber-attacks.
Yehuda Gelb highlights that “it’s always good to check the names of the packages that you’re installing, to make sure that you’re actually installing what you want to install.” So, awareness and caution are certainly integral to avoiding these types of attacks in the future.
Keyreplaces:
npm, cybersecurity, typosquatting, package management, shiftkey exploit, hacking, vulnerability
<< photo by Tima Miroshnichenko >>
You might want to read !
- “Hackers to Push AI to its Limits in Upcoming Mass Event”
- “Reflecting on the Journey of a Beloved Cartoon Character: Farewell to [Name That Edge Toon]”
- “White House Unveils New AI Initiatives: DEF CON Event to Vet AI Software”
- Chinese Surveillance Camera Footage Becomes a Lucrative Target for Cybercriminals
- “Microsoft’s Swift Response: Patching Two Critical Zero-Day Vulnerabilities”
- Rising Concerns: Data Breach Exposes 1M NextGen Patient Records
- Updating Legacy Systems: Mitigating the Risk of Old Vulnerabilities
