Npm Team Warns of New 'Binary Planting' Bug

The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.

Package manager? Librairies?

[Anonymous Coward]

The more you rely on others to do your job, the more you open yourself to such risks.

Re:

[Joepie69]

Package managers can be useful. The main question is: Why ...why... why must every programming language come with it's own but package manager? maven, pypy, npm/bower,,...all the same crap but just with a different API. Oh and yes.. each package manager comes with different bugs/vulnerabilites as well.

Re:

[Chris Mattern]

It's the same as standards--any attempt to create a unifying package manager just adds another package manager to the pile. https://xkcd.com/927/ [xkcd.com]

Re:

[thereddaikon]

The whole idea of using a package manager for your code is beyond stupid. What happens to all of these apps if/when NPM shuts down? What happens if/when they have an update that breaks the existing API? You should ship your dependencies with your code.

thanks for the advice

[pyrrho]

but why do you have dependencies in your code?!!?

Re:

[ISayWeOnlyToBePolite]

The whole idea of using a package manager for your code is beyond stupid. What happens to all of these apps if/when NPM shuts down? What happens if/when they have an update that breaks the existing API? You should ship your dependencies with your code.

Yeah, but then tracking versions and security in the dependency chain is a chore so you automate that, sharing the code and database with other projects because why try to reinvent...

it's because none of them used to have them

[pyrrho]

neither did OSes... it's a good thing.

Re:

[bill_mcgonigle]

> Such risks

That word "such" will kill you. You're almost infinitely better off using division of labor to let others push you security updates than to track the source of every piece of software you use.

In a complex enough system you will run out of time doing your own security such that vulnerabilities will outpace you. It's the total system security that is ultimately important, not just one package.

Of course npm should check signatures and be properly isolated on the system that uses it, but one pr

Security? Convenience?

[frank_adrian314159]

This is just the classic conundrum writ large. It's so convenient to have useful libraries just a command away. And I love having that, as it's required these days to hit deadlines. But anyone who thinks the practice of downloading random code of dubious provenance is not reducing the security of the resulting systems is deluding themselves. The sad thing is that as long as there's even one clever jackass who "just wants to do it for the lolz", these systems will be at risk. How to fix it? Build better people I guess. Until then, scan, scan, and scan some more; keep thinking up new defenses; stick to oft-used packages when you use this stuff.

Easy prey

[Shark]

This might be the grumpy admin in me talking. And I must disclaim that I also know very smart and diligent devs who use node.js.

However from what I've seen of typical node.js "developers", the level of concern for what is actually going on with the machine is very low. It's more a matter of cobbling up whatever plugins and frameworks need to be duct-taped together (including node.js itself) to get whatever youtube tutorial they've been watching to produce their expected output. They'll do all of this with liberal use of sudo (or even sudo su -) in some poor VM (or docker container), trying stuff until it works without any real understanding of what's going on, then call it a day and tell the client that everything is ready for production.

So yeah, once you've run out of grandmas running windows XP to exploit, node packages are an excellent vector towards people who have very little concern for security.

Re:

[Dracos]

The community around Javascript is full of neophytes trying to prove their precious embryo of a language is comparable to Perl, Python, Ruby, PHP, Lua, etc. They do everything with a clean room mentality, refusing to taint themselves with knowledge gained from similar experiences in other languages.

citation needed

[pyrrho]

node is nothing but things grabbed from previous lessons (hey, lets START with the package manager)... and javascript itself seems to have explored the lessons of python (generators, single thread approach, destructuring, rest operators, etc)... as far as being precious... lol

Re:

[thereddaikon]

The entire concept of NPM is a giant supply chain exploit waiting to happen.

no

[pyrrho]

it's a package manager... we didn't used to have them and it was stupid and shitty.

which language do you think has just good devs

[pyrrho]

onces that always vet dependencies, and never take shortcuts and totally understand the ramifications of their decisions and care about those ramifications... all from the luck of learning the right language and tool set.... just curious which language that is.

How can I trust anything?

[AndyKron]

Java script has been around for 24 years and it still has bugs? I think my 13 year old cat can do better. She eats bugs like candy.