Hackers hit developers, expecting to affect the software supply chain.
A recent study by JFrog found more than 800 packages in the npm registry that have discrepancies between the information specified in the package itself and their actual contents. Some of them use the Manifest Confusion technique to deceive developers and hide malicious code in the package.
The malicious Manifest Confusion technique, or "manifest confusion", was first documented in June 2023, when security researcher Darcy Clark discovered that inconsistencies between the manifest and package metadata could be used to attack the software supply chain.
The problem is that the npm registry doesn't check if the manifest file in the archive matches (package.json) with manifest data provided to the npm server during the package publishing process.
As a result, an attacker can use this flaw to spoof a manifest containing hidden dependencies that will be installed during package installation, thereby invisibly injecting malicious dependencies into the developer's system.
JFrog reports that its specialists have discovered more than 800 packages with discrepancies between the manifest in the npm registry and the package file.json inside the archive. While many of these inconsistencies are the result of differences in protocol specifications or variations in the scripts section, 18 of them are said to have been designed with the clear goal of malicious use.
So, one of the notable packages called "yatai-web-ui" is designed to send an HTTP request to the server with information about the IP address of the machine on which this package was installed.
The results of the study show that this attack vector has not yet been used by attackers to conduct malicious cyber operations, but it is extremely important that developers show special vigilance to ensure their security and protect the supply chain.
According to JFrog researchers, trusting packages based only on their appearance on the npm platform can be risky. Organizations should make it mandatory to implement security verification procedures for all packages used by their development teams, in particular, to detect hidden dependencies.
A recent study by JFrog found more than 800 packages in the npm registry that have discrepancies between the information specified in the package itself and their actual contents. Some of them use the Manifest Confusion technique to deceive developers and hide malicious code in the package.
The malicious Manifest Confusion technique, or "manifest confusion", was first documented in June 2023, when security researcher Darcy Clark discovered that inconsistencies between the manifest and package metadata could be used to attack the software supply chain.
The problem is that the npm registry doesn't check if the manifest file in the archive matches (package.json) with manifest data provided to the npm server during the package publishing process.
As a result, an attacker can use this flaw to spoof a manifest containing hidden dependencies that will be installed during package installation, thereby invisibly injecting malicious dependencies into the developer's system.
JFrog reports that its specialists have discovered more than 800 packages with discrepancies between the manifest in the npm registry and the package file.json inside the archive. While many of these inconsistencies are the result of differences in protocol specifications or variations in the scripts section, 18 of them are said to have been designed with the clear goal of malicious use.
So, one of the notable packages called "yatai-web-ui" is designed to send an HTTP request to the server with information about the IP address of the machine on which this package was installed.
The results of the study show that this attack vector has not yet been used by attackers to conduct malicious cyber operations, but it is extremely important that developers show special vigilance to ensure their security and protect the supply chain.
According to JFrog researchers, trusting packages based only on their appearance on the npm platform can be risky. Organizations should make it mandatory to implement security verification procedures for all packages used by their development teams, in particular, to detect hidden dependencies.
