At some point, npm leadership either discovered this campaign on its own or was alerted by other researchers, because in August, 21 packages were removed from the repository. However, after September, 80 additional packages were uploaded. All, Koi Security believes, were clearly controlled by the same person.
‘Disastrous’ flaw in npm
This is a “disastrous” systemic design flaw in npm’s dependency management functionality, Tanya Janca, head of Canadian secure coding training firm She Hacks Purple Consulting, told CSO. The lack of validation for dependency URLs bypasses the trust boundary for the Node.js software supply chain, she said.
Few programming languages allow dependencies to be specified via URLs, and even most of those that do have package managers that block this feature due to security concerns, she said. For instance, she pointed out, it’s allowed in Python, but the open source Python Package Index repository of packages (PyPI) blocks this functionality.
