Home / Companies / JFrog / Blog / Post Details
Content Deep Dive

Invisible npm malware – evading security checks with crafted versions

Blog post from JFrog

Post Details
Company
Date Published
Author
Or Peles, JFrog Vulnerability Research Team Leader
Word Count
995
Company Posts That Month
8
Language
English
Hacker News Points
-
Summary

The npm CLI's security feature, which checks for vulnerabilities in packages and their dependencies, exhibits a significant flaw when dealing with package versions that include a hyphen, which are considered pre-release versions according to Semantic Versioning. This flaw prevents npm from reporting known vulnerabilities for such packages, as demonstrated by a discrepancy between npm and JFrog Xray in detecting vulnerabilities in the package cruddl 2.0.0-update.2. The npm Bulk Advisory endpoint fails to retrieve advisories for these versions due to its handling of pre-release tags, which could be exploited by attackers to evade security checks. Developers are advised to avoid installing pre-release npm packages unless they are from a highly reputable source, and to return to non-pre-release versions as soon as possible.

Trends Found in this Post

No tracked trend matches for this post yet.