Security News > 2022 > March > This JavaScript scanner hunts down malware in libraries

For those developing with JavaScript and related technologies, GitHub's NPM Package Registry is an essential resource.

It's the home of more than 1.8 million packages - libraries and modules that get added to applications as dependencies to perform useful functions.

Pointing to a 2020 research paper [PDF] that found malware typically lurks in hosted packages for 200 days before being detected, Aboukhadijeh said it was clear that bad packages had to be caught before they got integrated into developers' apps.

"For instance, to determine if an npm package uses the network, Socket looks at whether `fetch()`, or Node's `net`, `dgram`, `dns`, or `http` or `https` modules are used within the package or - and this part is key - any of its dependencies.

Socket package search and package health scores are available at no cost from the company's website.

"In the coming weeks, we'll ship a new detection for packages with maintainers who use email addresses with expired domains, which is a huge risk factor for package hijacking," Aboukhadijeh said.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/01/socket_npm_dependency_scanner/