Npm removed yet another malicious package from its open-sourced code library this week. It marks the fourth major takedown in three months for npm.
Previously, we discussed that all open-sourced code should be reviewed prior to use. This should have been an automatic process for programmers anyway, but as humans, we tend to be more trusting than not. Unfortunately, that paves the way for bad actors to get in and do damage. The latest package, named “twillio-npm,” was discovered by Sonatype, a company which monitors public package repositories as part of its DevOps services.
From ZDNet, “Any computer that has this package installed or running should be considered fully compromised,” the npm security team said today, confirming Sonatype’s investigation. “All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm team added.
As stated above, this is the fourth major takedown of malicious packages on the npm library in the last three months. August saw a malicious npm removed. September saw four libraries removed. And, in the last two weeks, three more packages were removed. That’s a total of nine malicious libraries removed from npm in a very short amount of time.
Humans tend to trust other humans until given a reason not to. We’ve been warned that this could happen for years, and it’s actually surprising that it’s taken this long for this problem to arise. Open-source code sharing has been around for a long time, programmers often figure out new ways to write code or to automate something that previously wasn’t. They all work together to not only simplify the coding process, but to collaborate and come up with solutions together.
Having a bad actor come inside their world should make programmers feel violated, although they shouldn’t be surprised either. But they should be incredibly angry and frustrated. This is a place they should be able to go to find a solution to a problem they have. They might find that solution, but now they know they might also import malicious code with that solution.
Open-sourced code should always be reviewed, whether it’s an npm library, GitHub or something/somewhere else. Before the last few months, most programmers would have laughed off the need to review open source package code. But now? Now it’s a much needed step in the process.
This really goes to show that bad actors are everywhere. They will do whatever they can, whatever it takes to infiltrate a business and steal whatever information they can gain. This could be personal, private and sensitive information. It could be proprietary business information or intellectual property. It could be stealing compute, cryptomining or simply holding your business systems hostage until a ransom is paid. Whatever the method, one thing is for sure: Bad actors will do whatever it takes to get what they want, and anyone in the way better move or get run over.
Don’t be the next victim. Do an intense security review now, before 2021 starts and a new budget is in place. Make a plan to fix anything that needs fixed. Review code for unwanted strings. Review IAM controls to ensure least privilege. Review all cloud services to ensure proper use, that all services are actually being used and that you know what normal is and have alerts set around that. Review or scan your open source packages. If you don’t know how or want an outsider’s opinion to ensure nothing is missed, always hire an expert! Under the thumb of a pandemic, cybersecurity in 2020 is a major factor in business success. Don’t let your business fail because you missed an opportunity to fix a problem!