NPM Unscoped internal components

ID

unscoped_internal_components_npm

Severity

low - critical

Family

Dependency Confusion

Description

NPM supports scoped and unscoped packages. A scoped package like @myorg/mypkg belongs to an organization, and only members of the organization can publish packages to that scope. An unscoped package may or may not belong to an organization.

This detector detects if the current project is unscoped (Severity low) and if exist private dependencies (analyzed) with scope and the current uses unscoped (Severity critical).

Security

If your internal packages are unscoped, the attackers can create public packages with the same name with malicious code, or if are scoped but your organization is not proprietary of the scope the attackers can be owners of the scope and add malicious code in the public components.

Examples

package.json
 ...
 "dependencies": {
   "my-private-dep-not-in-repo": 1.0.0
 }
 ...

Mitigation / Fix

  • If the internal packages published are scoped, you should make sure you also own the same scope on npmjs.com to block malicious parties from publishing packages with the same scope.

  • If your internal scope is owned by another organization on npmjs.com, you may create a new scope on npmjs.com and migrating your internal packages to that scope internally.

  • If your internal packages are unscoped, we recommend migrating them to a scope you own on npmjs.com.