npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem.
npm is the default package manager for Node.js, which is a runtime environment for developing server-side web applications. There are several factors in the npm system that could allow for a worm to compromise the majority of the npm ecosystem:
When these three aspects of npm are combined, it provides the capability for a self-replicating worm. The following steps are an example worm workflow outlined in the report provided by Sam Saccone:
The full report from Sam Saccone is available here in PDF form: npmwormdisclosure.pdf
The timeline provided in the above document is as follows:
Jan 1 2016 Initial discovery of exploit
Jan 4 2016 Initial disclosure + proof of concept to npm
Jan 5 2016 Private disclosure to Facebook
Jan 7 2016 Response from npm
Jan 8 2016 Confirmation of works as intended no intention to fix at the moment from npm.
Feb 5 2016 Shared the disclosure doc
An attacker may be able to create a self-replicating worm that spreads as users install packages.
The CERT/CC is currently unaware of a practical solution to this problem. Please see the npm Blog for details and also consider the following workarounds:
Thanks to David Ross and Sam Saccone for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2016-03-26|
|Date Last Updated:||2016-03-26 21:46 UTC|