It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Rate this content
Bookmark

Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.

This talk has been presented at DevOps.js Conf 2022, check out the latest edition of this JavaScript Conference.

FAQ

Ferras is an open-source maintainer who started WebTorrent, a peer-to-peer file transfer protocol, and StandardJS, a linter that catches bugs and enforces code style. He has been involved in open source since 2014 and has created over a hundred npm packages.

WebTorrent is a peer-to-peer file transfer protocol created by Ferras, an open-source maintainer.

In October 2021, the UAParserJS package was compromised. Three malicious versions were published, which included malware that executed immediately upon installation. This malware primarily targeted Windows and Linux users, stealing passwords and installing a Monero cryptocurrency miner.

Supply chain attacks in the npm ecosystem occur through various vectors such as typo-squatting, dependency confusion, and hijacked packages. Attackers publish malicious code in packages with similar names to popular ones, register public packages with names used internally by companies, or gain control of popular packages to insert malicious code.

Common tactics include using install scripts to execute code upon installation, accessing privileged APIs to steal secrets, and obfuscating code to hide malicious activities.

Supply chain attacks are becoming more prevalent due to the heavy reliance on open-source code, the liberal use of transitive dependencies, and the lack of thorough code review. Additionally, popular tools often fail to detect new malware quickly enough.

Socket is a startup founded by Ferras that helps protect the open-source ecosystem. It provides tools to detect and block malicious dependencies, analyze npm packages for security issues, and offer detailed security reports to help developers make informed decisions.

Vulnerabilities are accidentally introduced by maintainers and have varying levels of risk, while malware is intentionally introduced by attackers and always leads to severe consequences. Vulnerabilities may be patched over time, but malware needs to be caught before installation.

Developers can protect their applications by choosing better dependencies, auditing dependencies, using tools like Socket for automated security checks, and staying informed about the security of the packages they use.

Users who installed the compromised UAParserJS package lost all their passwords and had to reset their online accounts. The malware published in the package included a Monero miner and a DLL file that stole passwords from various programs and the Windows Credential Manager.

Feross Aboukhadijeh
Feross Aboukhadijeh
32 min
24 Mar, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

The Talk discusses the recent compromise of the UA parser.js package and the need for supply chain security in the open source community. It explores the reasons for security risks in open source and the need for a new approach to detect and block malicious dependencies. The different attack vectors and maintainer vulnerabilities are also discussed. The speaker emphasizes the importance of evaluating packages and protecting your app, as well as the need for a mindset shift in how we view open source. The Talk concludes with an introduction to Socket.dev, a tool focused on supply chain attack detection.

1. Introduction to Node Modules and Open Source

Short description:

Hello and welcome. I'm Ferras, an open source maintainer with experience in creating npm packages. Let me tell you a story about a popular package called UAParserJS and its journey from being published on GitHub to becoming widely used.

Hello and welcome. Thanks for coming to my talk. It's a jungle out there. What's really going on inside your Node modules folder?

I'm Ferras and I'm an open source maintainer. I started WebTorrent, which is a peer to peer file transfer protocol and standard JS, a linter that catches bugs and enforces code style. I've been doing open source since 2014 and have created over a hundred npm packages. In the past, I volunteered on the Node.js board of directors and I also teach a class on web security at Stanford University. Now I'm the founder of a startup called Socket, which helps protect the open source ecosystem.

Before we get started, let me tell you a story. On January 13th, 2012, over ten years ago, a developer named Faisal Salman published a new project to GitHub. It was called UAParserJS and it parsed user agent strings. Now, lots of people found this project useful, and so over the next 10 years, Faisal continued to develop the package, along with the help from many open source contributors. He published 54 versions as the package grew in popularity. It eventually grew to 7 million downloads per week, eventually being used by nearly 3 million GitHub repositories.

2. Compromised UA Parser.js Package

Short description:

Now, let me tell you a different story. On October 5th, 2021, a hacker offered to sell the password to an NPM account controlling a package with over 7 million weekly downloads. Two weeks later, UA parser.js was compromised, resulting in the publication of three malicious versions. These versions contained malware that executed upon installation, leading to the theft of passwords and the mining of the Monero cryptocurrency. The package was reported and removed after four hours.

Now, let me tell you a different story. On October 5th, 2021, on a notorious Russian hacking forum, this post appeared. A hacker was offering to sell the password to an NPM account that controlled a package with over 7 million weekly downloads. His asking price was $20,000 for this password.

Now, this is where the two stories intersect. Two weeks later, UA parser.js was compromised and three malicious versions were published. Malware was added to these packages that would execute immediately whenever anyone installed one of the compromised versions.

So, now let's take a look at what that malware does. So, this is the package JSON file for the compromised version. And you'll see that it uses a pre-install script. So, this means that this command will run automatically anytime this package is installed. So, now let's look at what that script does. So, the first thing you'll see is that it splits based on the operating system of the target. On Mac, nothing happens, which is lucky for Mac users, but Windows and Linux users aren't so lucky. And you'll see here that command prompt is spawned for each of these platforms using child-process.exec.

So, now let's take a look at what that pre-install.sh script does. The very first line fetches the user's country and figures out whether the user is coming from Russia, Ukraine, Belarus, or Kazakhstan and stores that in a variable. Now if the user comes from one of those countries, then the script exits without doing anything further. However, if you come from any other country, then the script proceeds to download an executable file from this IP address, mark that file as executable, and then run it. And now based on these command line flags, you can see here that this program is a Monero miner, which is going to be used to mine the Monero cryptocurrency for the attacker.

Now this is the script on Windows. It's very similar. So it starts off with downloading that same or similar Monero miner, but it also downloads a DLL file as well and runs that. And then here you can see it just starting up the Monero miner and registering the DLL file on Windows.

Now, what does this extra DLL file do? Well, it steals passwords from over one hundred different programs on the Windows machine, as well as all the passwords in the Windows Credential Manager. So yikes, this is a really nasty piece of malware. And anyone unlucky enough to run this lost all their passwords and had to do kind of a complete reset of their online accounts. Not a fun time. So this is kind of the aftermath. So this package was published for about four hours, and the open source community was pretty diligent and reported it.

QnA