{"id":1482,"date":"2022-02-07T15:10:55","date_gmt":"2022-02-07T22:10:55","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=1482"},"modified":"2022-02-20T05:42:13","modified_gmt":"2022-02-20T12:42:13","slug":"attack-of-the-packages","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/02\/07\/attack-of-the-packages\/","title":{"rendered":"Attack of the Packages"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Attackers have been increasingly uploading malicious packages to the popular JavaScript package repository, npm<\/a>, in order to gain access to sensitive information, set up botnets, steal cryptocurrency, and more.<\/p>\n\n\n\n

‘npm’, what is it?<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Node Package Manager, better recognized by its acronym ‘npm’, is a free, open source software registry that was recently acquired by Microsoft-owned GitHub<\/a>. Upwards of 32,000 packages are uploaded monthly and an average of 17,000 package updates daily, npm hosts over 1.8 million JavaScript packages. Created in 2009<\/a>, it has grown to become the center of JavaScript code sharing. With more than 11 million developers relying on its service, there is no doubt that attackers will aim to take advantage of this.<\/p>\n\n\n\n

Why attackers choose npm<\/h2>\n\n\n\n

The nature of being open-source and free gives rise to one of technology’s greatest fears; a lack of security. Most of the packages uploaded to npm are maintained and verified by users and open-source communities, making the JavaScript ecosystem ‘ripe for exploitation by attackers’, according to open source security and management firm WhiteSource<\/a>. A huge problem with npm packages is that they don’t need to be run or used – as long as they’re on the system, they are automatically given permission to do whatever they want<\/a>. <\/p>\n\n\n\n

It is estimated that there will be more than 2 billion websites by the end of 2022 and almost 98% of them will depend on JavaScript. The popularity and dependence of npm across numerous systems and applications provides exactly what attackers are looking for: quick distribution with a large audience. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And indeed, attackers are taking advantage of the malicious opportunity that npm presents, having already targeted its popular registries to attack Discord<\/a> in January<\/a> and December<\/a> last year.<\/p>\n\n\n\n

Attackers are utilizing the distributive nature of npm and focusing their attacks upstream to ‘infect existing components that are distributed downstream and installed potentially millions of times’, according to this npm Threat Report<\/a> by WhiteSource. In the last six months, WhiteSource identified more than 1,300 malicious packages that were uploaded to npm in 2021. Of the 1,300 packages, about 14 percent were found to steal sensitive information such as credentials while nearly 82 percent were acting as spies and trackers – passively or actively gathering information on unsuspecting clients.<\/p>\n\n\n\n

The malware, and more<\/h2>\n\n\n\n

As stated in this threatpost article<\/a>, here are some of the malware that WhiteSource detected and identified in their report:<\/p>\n\n\n\n