Security News > 2023 > June > NPM ecosystem at risk from “Manifest Confusion” attacks
Manifest confusion occurs there is an inconsistency between a package's manifest information presented on the npm registry and the actual 'package.
Json' file in the tarball of the published npm package used when the package is installed.
Both the manifest data submitted to NPM when publishing a package and the package.
Clarke says GitHub has known about manifest confusion problems since at least 2022, and a bug report filed on the npm CLI's GitHub repository concerning the node-canvas package seems to confirm that.
Until GitHub forges a plan to deal with manifest confusion on npm, Clarke suggests that authors and maintainers of packages remove the reliance on manifest data and instead source all metadata apart from the name and version from 'package.
Another protection measure would be to use a registry proxy between the package database and the npm client, which could implement additional checks and validations to ensure the consistency between the manifest data and the information in the package's tarball.