A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.
Last week, a former engineering manager at GitHub and NPM, Darcy Clarke, warned about “manifest confusion” problems that could introduce the risk of malware hiding in dependencies or executing scripts during installation.
“Manifest confusion” refers to a security issue in the NPM (Node Package Manager), a package manager for the JavaScript programming language and the default one for the Node.js environment.
The problem is with the inconsistent information between a package’s manifest data as displayed in the NPM registry and the data present in the ‘package.json’ file of the published package.
A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.
However, these scripts or dependencies would still be present in the package.json file and would be executed when the package is installed, without the user being aware.
This problem potentially exposes developers to risks such as cache poisoning, installation of unknown dependencies, execution of unknown scripts, and possibly even downgrade attacks.
Since GitHub has yet to address the problem and it is unclear what the platform plans to do, Clarke suggested that package maintainers remove reliance on manifest data and use a registry proxy to perform data consistency checks.
Manifest confusion checker
Until a solution is implemented, sysadmin Felix Pankratz has released a Python-based tool that can help software developers check the NPM packages for inconsistencies.
To use the tool, first, install the PIP Python package manager with “pip install -r requirements.txt.”
To inspect a single package, pass the package’s name to the script as the first argument. For example:
$ ./npm-manifest-check.py darcyclarke-manifest-pkg
The output will highlight any mismatches in the version, dependencies, scripts, and package name between the manifest and the actual package.json file.
For a package without any mismatches, the output should look like this:
$ ./npm-manifest-check.py color
No mismatch detected for color.
To inspect multiple packages, developers can add them to a ‘packages. list’ file (one package per line) and use the ‘check_packages.sh’ wrapper script to check them. The tool will report any mismatches found on each of the checked packages.
To understand all aspects of the usage of Pankratz’s tool, check the help command with:
./npm-manifest-check.py -h
Manifest confusion is not a widespread or critical problem in the NPM community right now, but ignoring it is not the safe way to go as threat actors could start using it for supply-chain attacks.