Security News > 2023 > July > New Python tool checks NPM packages for manifest confusion issues
A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.
The problem is with the inconsistent information between a package's manifest data as displayed in the NPM registry and the data present in the 'package.
A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.
Since GitHub has yet to address the problem and it is unclear what the platform plans to do, Clarke suggested that package maintainers remove reliance on manifest data and use a registry proxy to perform data consistency checks.
Until a solution is implemented, sysadmin Felix Pankratz has released a Python-based tool that can help software developers check the NPM packages for inconsistencies.
The tool will report any mismatches found on each of the checked packages.