Security News > 2023 > July > Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware

The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.

"A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week.

The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch.

As a result, a threat actor could exploit this loophole to publish a module with a manifest file that contains hidden dependencies as well as run install scripts, which could then pave the way for a supply chain attack and the poisoning of a developer's environment.

"Manifest confusion becomes problematic in development environments without effective DevSecOps workflows and tooling in place, especially when applications blindly trust application manifests rather than the actual files contained within open source packages," Sonatype researcher and journalist Ax Sharma said.

The finding underscores the fact that metadata contained within package manifest files alone cannot be relied upon when downloading a package from the open-source repository, necessitating that users take steps to scan packages for any anomalous features and exploits.

News URL

https://thehackernews.com/2023/07/nodejs-users-beware-manifest-confusion.html