The security software company Socket has presented its new CLI tool safe npm, which is intended to increase security when using the JavaScript package manager npm. The open source tool wraps the command npm install and is said to be able to detect and avert eleven different attack scenarios by pausing the installation, including malware, typosquatting, installing scripts, protestware and telemetry.
Dangers of npm install
As Socket explains, be npm install the most dangerous command that developers execute every day. According to this, a single installed package has an average of 79 transitive dependencies. These 80 packages can, for example, use an install script to install additional shell code that npm runs automatically during installation. This feature can be desirable in some cases, but harbor malware in others.
Typosquatting is also a common form of attack: a package with a similar name to a known package is uploaded to npm with malicious code. A corresponding typo during installation gives developers the defective package.
safe npm should help
The safe npm socket tool now presented is a wrapper for npm and npx commands and is intended to protect against the dangers of npm install turn away. If it detects a potentially malicious package, it pauses the installation and informs about the risks. The risk assessment is based on three building blocks: static analysis, metadata analysis and maintainer behavior. A total of over 70 signals flow into the evaluation of open source packages.
An engine developed by Socket is used for the static analysis. It analyzes source code without executing it to detect potential signs of supply chain attacks. According to the development team, this includes dozens of clues such as installing new scripts, network requests, environment variable access, telemetry and suspicious strings.
In addition, maintainer behavior also plays a role: Who is the maintainer and what is the activity history of this person? Packages without a maintainer and packages that have recently received a major refactoring also stand out. The third category is looking at the metadata, which, among other things, should recognize typosquatting. For example, webb3 is a malicious version of the package web3 – and the latter has a 300,000 times higher number of downloads.
Installation and Use
To use safe npm, installing the Socket CLI available as a preview necessary:
npm install -g @socketsecurity/cliThis command adds a socket-Binary too PATH added. Then you can socket npm install instead of npm install use to use the security features. The feature safe npm is included from CLI version 0.5.1. The installed version number can be read with socket –version check over.
To not in existing code socket npm the development team recommends using a shell alias in .bashrc or .zshrc:
alias npm="socket-npm"
alias npx="socket-npx"In this first release, safe npm with the default socket.yml settings evade. On GitHub those interested can contribute to the Socket CLI tool. A similar tool for the Python ecosystem, safe pip, is already available as a feature request for debate.
More information about the initial release of safe npm provides a blog entry.
(May)
