npm Supply Chain Attacks: 2 Main Risks

TL;DR

Most npm supply chain attacks happen in two main ways: typosquatting and package compromise (where a legitimate package is hacked). This guide explains how to spot these risks and protect your projects.

1. Typosquatting Attacks

Typosquatting involves attackers publishing packages with names very similar to popular ones, hoping developers will mistype the name during installation. For example, instead of lodash they might publish l0d4sh (using a zero instead of an ‘o’).

How it works:

1. An attacker identifies a popular npm package.
2. They create a malicious package with a similar name, often with subtle differences.
3. Developers accidentally install the malicious package instead of the real one.
4. The malicious package can then steal data, inject code into your project, or cause other harm.

How to protect against typosquatting:

1. Double-check package names: Always carefully review the package name before installing it. Look for subtle differences in spelling or characters.
2. Use a package lock file: package-lock.json (or yarn.lock) ensures you always install the exact versions of dependencies you specify, reducing the risk of accidentally picking up a malicious package. Make sure to commit this file to your repository!
3. Consider using a dependency security scanner: Tools like Snyk or npm audit can help identify potentially vulnerable packages (see section 3).

2. Package Compromise Attacks

Package compromise happens when an attacker gains control of a legitimate npm package, usually by compromising the developer’s account or repository.

How it works:

1. An attacker compromises a maintainer’s npm account (e.g., through phishing or weak passwords).
2. They publish a malicious version of a legitimate package to npm.
3. Developers who update their dependencies install the compromised version.
4. The malicious code then executes in your project.

How to protect against package compromise:

1. Keep dependencies updated (but cautiously): Regularly updating dependencies is important for security, but do it carefully. Test updates thoroughly before deploying them to production.
2. Use semantic versioning (semver): Understand the meaning of semver ranges in your package.json file (e.g., ^1.2.3 allows minor and patch updates, but not major ones). This helps control which versions you automatically receive.
3. Monitor dependency changes: Be aware when dependencies are updated and review the changelog for any unexpected changes.
4. Enable two-factor authentication (2FA) on npm accounts: Protect your account with 2FA to prevent unauthorized access.

3. Tools for Detecting Vulnerabilities

Several tools can help you identify and mitigate supply chain risks.

• npm audit: A built-in npm command that scans your project’s dependencies for known vulnerabilities.

  npm audit

• Snyk: A popular dependency security platform that provides vulnerability scanning, monitoring, and remediation advice. (Offers free and paid plans).
• Dependabot: Automatically creates pull requests to update dependencies with known vulnerabilities (integrated with GitHub).