NPM Malware Dependency

malware_dependency_npm

Severity

critical

Family

Malware

Description

There are dependencies that have been detected as malware; This detector checks the project dependencies and reports those detected as malware.

Packages known as malware (or versions of existing packages with malware) are blacklisted.

In the npm registry, malware versions are removed from the registry, and higher versions with fixes are published. For new malware packages, they are replaced by a security placeholder so any remaining references know the fact.

You can configure black and white list in the directory conf/suspectdeps/malwareLists in the files javascript.black.list and javascript.white.list

The format to declare dependencies in these files is:

If you want to declare all versions of a package without scope: packageName
If you want to declare all versions of a package with scope: scope/packageName
If you want to declare a fixed version of a package with scope: scope/packageName@version
If you want to declare a fixed version of a package without scope: packageName@version

Security

If the dependency contains malware, the consequences could be catastrophic for the company, since these dependencies could reach production environments.

Examples

package.json

 "dependencies": {
   "package-with-malware": 1.0.0
 }

Mitigation / Fix

The problematic dependency could be included as a sub-dependency of one or more direct dependencies. To fix this you need to remove all direct dependencies that add the problematic dependency.

If the malicious package is an indirect dependency, you should remove the version of your direct dependency in the path to the problematic dependency. You may use the dependency search in xygeni for this analysis.