Security News > 2023 > June > Warning: JavaScript registry npm vulnerable to 'manifest confusion' abuse

The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.

"The npm Public Registry does not validate manifest information with the contents of the package tarball, relying instead on npm-compatible clients to interpret and enforce validation/consistency," Clarke explains.

According to Clarke, the npm Public Registry server has never done manifest validation.

Asked whether lack of resources for npm development under GitHub led to this state of affairs, Clarke told The Register that while he believes GitHub underinvested in npm, "I think this issue actually went unnoticed for so long because of the horrible lack of up-to-date registry documentation."

The Register understands that the npm Public Registry hasn't been fully open source since early 2014, about four years after its initial release.

"The key point to make here is that the ecosystem is currently under the incorrect assumption that the manifest always contains the contents of the tarball's package.json," said Clarke, who again pointed to the lack of documentation about the need for npm client software to ensure manifest-tarball consistency.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/27/javascript_registry_npm_vulnerable/