Snyk for NPM security analyzed

NPM defined

NPM (Node Package Manager, for its acronym in English) is a package manager for JavaScript and is the default for node.js. When you install a node, NPM is also installed. And what does that mean? Well, through NPM, we can install and manage the packages for our applications. When using Node.js, we need to quickly install new modules (libraries) since the node is almost empty and highly modular. So, for most functions, we need to install additional components. This operation is easily done with the NPM tool.

Access to freely available libraries, frameworks, and processes saves the modern enterprise the time and cost of writing an entire application stack from scratch, helping to accelerate development and drive innovation. Unlike proprietary software, open source is not obscure. So, it’s also easy for each developer to customize the code base to suit their business needs. Also, anyone can find bugs and suggest fixes for problems within the code. This means that issues are often detected more quickly, which in some cases helps open-source software to be more powerful and secure than its proprietary counterparts. However, some risks from open-source software should be considered when choosing projects for your stack.

Feature and characteristics for NPM security according to Snyk

It is common for developers to think about open-source supply chain security in terms of immediate touchpoints, such as the npm packages we install (npm install event-stream) and import to our projects (import colours). However, the software supply chain attack surface is much broader than that.

One of the key drivers of the Advanced Persistent Threat (APT) is supply chain attacks, which have increased significantly and shown an evolution that creates concern for businesses and organizations. Supply chain attacks have increased in volume and become more sophisticated, involving Advanced Persistent Threat (APT) actors. It is predicted that 45% of organizations will have experienced an attack on their software supply chain by 2025. There are predictions that 45% of organizations and companies will experience a supply chain attack by 2025.

NPM Security
Snyk Diagram

One prime example of this is a recent security research article published in 2021 that found: “2818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. […] We found 58.7% of packages and 44.3% of maintainers are inactive in the npm registry.”

According to Snykblog, the NPM security and preventive measures for supply chain security are: (1) Prevent NPM lock file injection, (2) Prevent arbitrary command execution, (3) Avoid blind NPM package upgrades, (4) Prevent dependency confusion, (5) NPM security: Proactive protection from malware, (6) Trojan source attacks.

Supply chain layers for software artifacts, also known as SLSA for short, provide an excellent reference to weak integration points where risks await. The following is a visual representation of that borrowed from Snyk’s Supply Chain Security White Paper: Snyk is a handy tool, especially for static code analysis, and in particular, it can regularly find and report malicious npm packages, such as discovering more than 200 malicious npm packages. To check the security of npm packages, you can use Snyk Advisor to assess open source package health or use the (free) Snyk CLI and repository integration to scan and monitor for malicious packages.

Future Usage

As seen from the above, the risks to the security of the software supply chain are constantly increasing, which is quite worrying since the attacks have sharpened the developers and their ecosystems. The interested party may find the following articles fascinating for a valuable update on npm security best practices: a)Preventing Malicious Packets and Supply Chain Attacks with Snyk by Daniel Berman. b)What is a backdoor? Let’s build one with Ulises Gascón’s Node. jsc)10 npm Security Best Practices by Liran Tal and Juan Picado. If you want to train yourself in secure coding practices, I recommend taking one of the hands-on JavaScript security courses at Snyk Learn. They are both short and completely free!