Over 800 npm Packages Found with Discrepancies, 18 Exploitable to ‘Manifest Confusion’

Over 800 npm Packages Found with Discrepancies, 18 Exploitable to 'Manifest Confusion'

March 21, 2024 at 10:52AM

Researchers at JFrog have uncovered over 800 npm registry packages with discrepancies from their registry entries, 18 of which exploit a technique called manifest confusion. This technique can trick developers into running malicious code by supplying a different manifest with hidden dependencies during installation. They stress the importance of verifying package safety and identifying hidden dependencies.

Based on the meeting notes, the key takeaways are:
– A cybersecurity firm, JFrog, has identified over 800 packages in the npm registry with discrepancies, out of which 18 are exploiting a technique called manifest confusion.
– Manifest confusion enables threat actors to insert hidden malicious dependencies, which are processed during package installation to install malicious code onto developer systems.
– The npm registry does not validate whether the manifest file in the package.json matches the manifest data provided during the publishing process, leaving potential for exploitation.
– One package in question, yatai-web-ui, is designed to send an HTTP request to a server with information about the IP address of the installing machine.
– While the attack vector has not been utilized by threat actors to date, developers are urged to verify the safety and trustworthiness of packages by introducing procedures to detect any hidden dependencies.

Is there anything else I can help you with?

Full Article