WhiteSource, an open source security and management provider has tracked an average of 32,000 new npm packages published every month during 2021. That level of activity enabled threat actors to launch a number of attacks, including software supply chain attacks, cryptojacking, data stealing, botnets and security research where attackers create packages that falsely claim to be designed for security research but actually contain malicious code.
A new threat report was released based on malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide. The report, Popular Javascript Package Registry Is a Playground For Malicious Actors, is based on findings from more than 1,300 malicious npm packages identified in 2021 by WhiteSource Diffend, the company’s automated malware detection platform.
JavaScript is the most commonly used programming language today, with more than 16 million developers worldwide relying on its speed, strong documentation, and interoperability with other programming languages. But the popularity of JavaScript has also attracted attention from threat actors, who increasingly target JavaScript’s open-source package managers and package registries – the most widely used of which is npm, with more than 1.8 million active packages, the company said in a press release.
Attackers are focusing more efforts on using npm for their own nefarious purposes and targeting the software supply chain using npm. In these supply chain attacks, adversaries are shifting their attacks upstream by infecting existing components that are distributed downstream and installed potentially millions of times. Likewise, attackers release new malicious components and trick users into installing and using them.
“With an average of over 17,000 new npm package versions being published daily in 2021, there’s no question that package update activity needs to be closely monitored,” said Rami Sass, Co-Founder and CEO of WhiteSource. “Unfortunately, that popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals.”
The report also identifies best practices to thwart npm attacks. Deploying a tool to ensure use of only verified package sources, shift left approach, avoiding to install packages without running assessment, reporting unexpected behaviours and inconsistencies to packages owners are some of the practices.
