CLI NPM tool has a very convenient and effective mechanism for protecting against vulnerable packages – an automatic package check during installation (using NPM Install), which can be run manually using the NPM Audit command. However, researchers from JFROG found that this mechanism of protection It easily costs when adding a hyphen to the package version (for example, 1.2.3-a), which is usually placed to indicate the preliminary version of the package. This is due to the fact that the end point bulk advisory It is possible to obtain security recommendations for packages, the version of which contains a hyphen (-), followed by additional characters.
And although the accompanying projects consider the addition of a hyphen to the name as a necessary part of the functionality that allows you to distinguish between ordinary and preliminary versions of packages, this opens up a new attack vector for attackers who seek to attack NPM ecosystem users. According to researchers, hackers can use this loophole, intentionally embedded in a vulnerable or malicious code into packages with useful functionality, which will then install nothing suspecting developers.
The researchers gave the Cruddl package, which had a critical vulnerability ( cve-2022-36084 ) In one of its previous versions. When installing this version, CLI NPM warns the developer that the package contains critical vulnerability.
However, when trying to establish a preliminary version of Cruddl 2.0.0 CLI NPM will not withdraw any warning, although this version of the package is also subject to vulnerability.
In the conclusion of the report, JFROG specialists recommended developers and DevOPS engineers never install preliminary versions of NPM packages if they are not sure that the source is 100% reliable. It is worth noting that even in this case it is recommended to return to the unconditional version of the package as soon as possible.