uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-07-05 22:17:18

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Users of Node.js:Manifest Confusion Attack Allows Malware to Infiltrat

EE7QQrI.png
The Node.js npm registry. The JavaScript runtime environment is vulnerable to a type of attack known as a manifest confusion attack, which could allow threat actors to cloak malware in project dependencies or run arbitrary scripts during installation.

An ex-GitHub and npm engineering manager named Darcy Clarke stated in a technical article posted last week that "A npm package's manifest is published independently from its tarball.". "Manifests are never completely checked against the contents of the tarball. ".

In general, Clarke continued, "the ecosystem has assumed the contents of the manifest and tarball are consistent.".

The manifest and package metadata are not cross-referenced against one another, which is the root cause of the issue. This results in unexpected behavior and misuse when there is a mismatch.

As a result, a threat actor could use this flaw to publish a module with a manifest file (package). Run install scripts and download files (such as json) that have hidden dependencies, which could lead to a supply chain attack and the contamination of a developer's environment.

Ax Sharma, a researcher and journalist for Sonatype, noted that "Manifest confusion becomes problematic in development environments without effective DevSecOps workflows and tooling in place, especially when applications blindly trust application manifests rather than the actual (vulnerable or malicious) files contained within open source packages.".

The discovery highlights the fact that users must take precautions to scan packages for any unusual features and exploits and emphasizes the fact that package manifest files' metadata alone cannot be relied upon when downloading a package from the open-source repository.


Attack with Manifest Confusion.

Clarke claims that GitHub has been aware of the issue since at least early November 2022 and that, as of March 2023, the Microsoft subsidiary plans to internally address it. However, no solution has been found for the problem as of yet.

Security researcher Felix Pankratz has made a Python script that can be used to check for discrepancies between the manifests in npm modules available in the absence of an official fix.

The development also comes after developer security company Snyk, working with Redhunt Labs, looked at 11,900 repositories from the top 1,000 GitHub organizations for insecure dependencies. They found 1,229,601 flaws in 15,584 vulnerable dependency files.

With a staggering 130,831 occurrences in Java repositories, de-serialization of untrusted data was the most common vulnerability type, accounting for 40% of all vulnerabilities found, according to the study.

Prototype pollution emerged as the biggest flaw in JavaScript-based projects with 343,332 occurrences. With 19,652 and 56,331 instances, respectively, denial-of-service (DoS) flaws were the biggest contributors in Python and Ruby projects.

Security researchers Umair Nehri and Vandana Verma Sehgal asserted that the risk of weak dependencies impairing the security of software supply chains "is here to stay.". "Therefore, developers must exercise caution when choosing the dependencies they incorporate into their projects and maintain them so that any known vulnerabilities are patched. ".

Offline

Board footer

Powered by FluxBB