Security: CLI tool is designed to protect npm install from malware
The security software company Socket has presented its new CLI tool safe npm, which is intended to increase security when using the JavaScript package manager npm. The open-source tool wraps the npm install command and is said to be able to detect and pause the installation for eleven different attack scenarios, including malware, typosquatting, script installation, protestware, and telemetry.
Dangers of npm install
As Socket explains, npm install is the most dangerous command that developers run on a daily basis. According to this, a single installed package has an average of 79 transitive dependencies. These 80 packages can, for example, use an install script to install additional shell code that npm runs automatically during installation. This feature can be desirable in some cases, but harbor malware in others.
Typosquatting is also a common form of attack: a package with a similar name to a known package is uploaded to npm with malicious code. A corresponding typo during installation gives developers the defective package.
safe npm should help
The safe npm socket tool now presented is a wrapper for npm and npx commands and is intended to avert the dangers of npm install. If it detects a potentially malicious package, it pauses the installation and informs about the risks. The risk assessment is based on three building blocks: static analysis, metadata analysis and maintainer behavior. A total of over 70 signals flow into the evaluation of open source packages.
An engine developed by Socket is used for the static analysis. It analyzes source code without executing it to detect potential signs of supply chain attacks. According to the development team, this includes dozens of clues such as installing new scripts, network requests, environment variable access, telemetry and suspicious strings.
In addition, maintainer behavior also plays a role: Who is the maintainer and what is the activity history of this person? Packages without a maintainer and packages that have recently received a major refactoring also stand out. The third category is looking at the metadata, which, among other things, should recognize typosquatting. For example, webb3 is a malicious version of the package web3 – and the latter has a 300,000 times higher number of downloads.
Installation and Use
In order to use safe npm, the Socket CLI, which is available as a preview, must be installed:
npm install -g @socketsecurity/cli
This command adds a socket binary to the PATH. You can then use socket npm install instead of npm install to take advantage of the security features. The feature safe npm is included from CLI version 0.5.1. The installed version number can be checked with socket –version.
To avoid having to use socket npm in existing code, the development team recommends using a shell alias in .bashrc or .zshrc:
alias npm=”socket-npm”
alias npx=”socket-npx”
In this first release, safe npm can handle the default socket.yml settings. Interested parties can contribute to the Socket CLI tool on GitHub. A similar tool for the Python ecosystem, safe pip, is already up for debate as a feature request.
A blog entry provides further information on the initial release of safe npm.
(May)
To home page
