Team Hexmos

How to Protect Private npm Packages from Dependency Confusion

Sreedeep cv's photo
Sreedeep cv
·

2 min read

When downloading and using a package from any of the sources(npm, pip etc), you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors? This question gave rise to a new attack vector called dependency confusion.

If you are a developer then you must have run some command like this:

pip install package_name

This package comes form a package directory. You have probably heard of these tools already: Node has npm and the npm registry, Python’s pip uses PyPI (Python Package Index) etc.

When you work on some project you can create your own private packages. Your project will contain both public and private packages. This will be stored in a file like package.json . When we try to setup the project we do an npm install , which will fetch all the public and private packages.

If the Attacker found a way to see the package.json he can list the private repos. Once the private ones are listed he can create public versions of it with new tags. When any user tries to setup the files, the latest version created by the attacker is being fetched.

The Attacker will add some malicious code in the package that will affect the user downloading the package. This is how dependency confusion attack takes place. Npm allows arbitrary code to be executed automatically upon package installation, allowing me to easily create a Node package that collects some basic information about each machine it is installed on through its preinstall script.

If you are trying to find such issues, if the package.json is not available, then even js files sometimes leak the dependency name. This bug has a high severity rating.

For mitigation checkout this article by Microsoft : 3 Ways to Mitigate Risk When Using Private Package Feeds - v1.0.pdf

Thanks for the read ! If you are new to my blogs. I am working on a tool called LiveAPI. It will automate back-end API documentation for your whole organisation with least effort. Please try it out.

npmhackingbugbounty