The Evil Side of the npm Ecosystem

Are you going to be the next victim?

Disclaimer: I use npm myself, the point of this post is not to discredit npm, it is to help people understand that packages within the npm ecosystem should not be installed without doing research on them.

Imagine that you just found the perfect package that provides everything that you need for your application. A week after installing it, an article comes out talking about that same package being a malicious backdoor into your application. You rush to remove it but realize that all your clients’ data, secrets, and keys have already been compromised. It’s too late now, but how do you ensure that the next package you install won’t follow that same path?

Many people may think that once the software is built, it won’t need to be worked on anymore but that never seems to be the case. Software engineers are constantly installing what is known as ‘packages’ in their applications. When it comes to installing and managing packages, many people turn to npm.

At the time of writing this, npm has 1,586,117 packages uploaded and 127,834,784,839 packages downloads in the last month.

Source: npmjs.com

It has become a common practice to install packages rather than re-write code. At first thought, this doesn’t sound like a bad idea. In a lot of cases, installing packages is very useful and tends to be the correct choice. However, if you don’t do your research and continue to actively maintain the packages that you use, things can get ugly.

Recently, several packages have been discovered that contain malicious code. One of those was a package that was disguised to look like the official

Twilio package (twilio). It gave the attackers access to run remote commands on the victims’ computers. It was called twilio-npm and in 1 day it was downloaded over 300 times. There were many red flags that could have easily been seen by going to the package page.

What to Look For

Here are key things to look for before installing a package:

• Weekly Downloads — The package should have a good amount of weekly downloads. Often, when you see under 1000 weekly downloads and/or an unstable graph it means that the package isn’t being used by many and has a better chance of getting discontinued.
• Unpacked Size — If you are looking at a very simple package with a massive unpacked size, it generally means that the code is not as optimized as it could be and may not be worth uploading into your project.
• Last Updated — The date that the package was last updated should be fairly recent. If the package has not been updated for six months, it could mean that it is no longer being maintained and will likely have vulnerabilities and bugs that won’t ever get resolved.
• GitHub Activity — The issues, the code, and how active the maintainers are will give you an insight into the validity of the package.

Another big thing to consider when installing these packages is that they will still require maintenance. As new resources are introduced to developers, package maintainers will release updates. Updates can come out very frequently and in some cases, these updates include breaking changes. It’s important that these updates are applied to your application regardless of how many changes have to be made. These updates frequently carry vulnerability patches and bug fixes.

Learn More

Here are key tools to use for updating and checking packages:

• Dependabot — A tool maintained by GitHub that will create automatic pull requests when new updates and security fixes come out for your package.
• npm-audit — A tool maintained by npm themselves that will scan all your packages for vulnerabilities and display a detailed audit report. Adding the -fix argument to that command will try to automatically fix vulnerabilities.
• npm-check-updates — A tool, also known as NCU, that allows you to see which packages need to be updated and update all your packages at once.
• Version Lens (VS Code Extension) — A tool that will visually show in package.json if your package is on the latest version or if there is an update available.

In conclusion, npm is a great tool that provides an infinite amount of resources. However, packages within the npm ecosystem should be used with caution and with thought. Below are some packages that I personally have used in applications and have my full recommendation.

Explore Packages

• • Formik — ****form creation
  • React Router — ****creating routes
  • Axios — ****network calls
  • Notistack — toast notifications
  • PDF-LIB — manipulating and creating PDFs
  • React Helmet — used for SSO
  • Redux — used for global state management
  • Yup — validating inputs

written for HDM by Drew Klayman