Destructive everything package brings to mind npm registry vulnerabilities

Package Manager npm got into an unpleasant situation that has once again revived the debate about how the microdependency registry for JavaScript (and Node.js) works.

Critics argue that npm has too many dependencies. Many people remember the story of 2016 with the micromodule left-pad from a few lines of code, which implement a primitive function for inserting spaces on the left side of strings. It was installed as a dependency in React, Babel and other packages. Author and maintainer left-pad decided withdraw it in protest, causing widespread disruption to websites. After this, npm Inc. prohibited authors from withdrawing their packages without permission from the administration.

Now we are seeing, in a sense, a continuation of this story.


Everything package

In January 2024, a user named PatrickJS (aka

gdi2290

) With

group of contributors

I posted a demo package as a troll

everything

with five subpackages.

By socket.dev statisticsthe package was downloaded from the registry about 370 times.

True to its name, the package and its subpackages included links to All public npm packages, generating millions of transitive dependencies.

Such a package essentially launches DoS on any system where the installation is initiated. Theoretically, an attacker can disable a third-party computer with a simple command npm install everything.

The author even launched a demo website page everything.npm.lol, which shows the process of installing a package and all the chaos that ensues. At the end of the demo, a scene from the game Skyrim plays.

File contents package.json (code has already been removed from Github):

{
  "name": "everything",
  "version": "3.0.0",
  "description": "npm install everything",
  "main": "index.js",
  "contributors": [
    "PatrickJS <github@patrickjs.com>",
    "uncenter <hi@uncenter.dev>",
    "ChatGPT <chatgpt@openai.com>",
    "trash <trash@trash.dev>",
    "Hacksore <sean@boult.me>"
  ],
  "scripts": {},
  "keywords": [
    "everything",
    "allthethings",
    "everymodule"
  ],
  "license": "MIT",
  "homepage": "https://github.com/everything-registry/everything",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/everything-registry/everything.git"
  },
  "dependencies": {
    "@everything-registry/chunk-0": "0.1.0",
    "@everything-registry/chunk-1": "0.1.0",
    "@everything-registry/chunk-2": "0.1.0",
    "@everything-registry/chunk-3": "0.1.0",
    "@everything-registry/chunk-4": "0.1.0"
  }
}

npm package manager

Package Manager

npm

is included in the Node.js installer and is the default manager in that runtime. It consists of a command line client and an online database of public and paid packages (npm registry). The registry is accessed through the client, and available packages can be viewed and searched on

npm website

. The package manager and registry are managed by npm, Inc.

This is not the first time that a package with all possible dependencies has been published in the registry. Last year there was a similar performance by the author no-one-left-behind. It was removed, but then reborn under a different name with over 33,000 subpackages.

In general, the very first one in 2012 was hoarders with dependencies from 20,000 packages, which was distributed as “the most comprehensive package of utilities for node.js.” One year later hoarders was removed personally by Isaac Schlöter, the creator of npm, due to the heavy load on the registry.

Consequences

As you know, according to the new npm rules (see above about the incident with

left-pad

) developers were deprived of the ability to independently remove packages from the registry 24 hours after publication. Since installation

everything

automatically causes a DoS attack on any computer, the author could theoretically be held criminally liable for intentional damage to computer systems. Realizing the consequences of his action, PatrickJS tried to withdraw the package, but was unable to do so on his own. He had to contact npm Inc. technical support for help.

PatrickJS also posted apology on Github (now deleted), in which he apologized for the difficulties this package caused: “The main problem is that when a package depends on another package of a certain version, that version cannot be retracted,” the author writes. – We have since realized a problem with star versions that depend on any/all versions of another package ("package-xyz": "*") – no version of such a package can be withdrawn from the registry. As I said, we've contacted npm and hope they can help… We can't do anything ourselves, we don't have the option to withdraw packages (because others depend on them), and publishing a new version won't change anything.”

One way or another, but everything once again reminded of the fundamental vulnerability of the micromodule registry with many cross and transitive dependencies. By installing such dependencies, the developer loses some control over his code. Authors of some popular npm packages officially sell them to participate in botnets. For example, package ua-parser-js with 7 million installations it was sold for $20 thousand.

Every month from the npm registry about 300 packages are removed for safety reasons.

Browser extensions, mobile applications and desktop utilities are also sold. All this is posted on underground forums, and the new owner initiates a software update with the installation of malicious code on the computers of thousands of users. For example, today a browser extension blocks ads, but tomorrow it can install a hidden mining program on the user’s computer.

In the case of the npm registry, the situation is aggravated by the many transitive dependencies in which it is difficult to track changes.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *