Malicious NPM Packages

Malicious NPM packages are software modules published to the Node Package Manager registry that contain code designed to compromise host systems, steal data, or disrupt operations. They represent a critical vector in Software Supply Chain Attacks.

Threat Vectors

  • Typosquatting: Packages with names similar to popular libraries to trick developers into installation.
  • Dependency Confusion: Exploiting internal package resolution to push malicious code to private registries.
  • Post-Install Scripts: Executing arbitrary code during the npm install phase, often before the developer reviews the code.
  • Supply Chain Compromise: Taking over maintainership of legitimate, widely-used packages to inject backdoors.

Mitigation Strategies

References