NPM Library Malicious Code Penetration Diligently Contained

The Node Package Manager (NPM) was first established in 2009 to facilitate the code sharing between JavaScript program developers far and wide. The idea was that instead of competing to build program, providing open source resources such as the NPM library could allow for development above what has already been developed so that in the grander scheme of things, program development can reach new heights. NPM was turned into a company in 2014 to push forward the same vision, and the company is now host to a startling registry of over 700,000 codes and packages that can be freely and responsibly used to develop anything for devices, applications, robots, and much more.

According to NPM CTO Silverio, overnight between the 11th and 12th of July, a malicious attack took place on the NPM server where a hacker managed to gain access to a developer’s account and use the developer’s credentials to release a faux version of the eslint-scope library, the eslint-scope 3.7.2, which the hacked individual was responsible for maintaining. Luckily the new token generation activity was noticed soon and efforts were made to restrict and revert the change. Since then, in a thorough investigation of the breach, it was found that the malicious code was granted the ability to record NPM credentials of other developers when in use by their programs. Therefore, the NPM open source code availing community has been advised to change all account credentials and expel this particular NPM library from their projects if it has been employed into use.

Despite the massive number of weekly downloads trending for the ESLint package, it has been said that no malicious activity has been observed from the 4500 accounts that were in the direct hit to be compromised by the faux version of the code. Many tokens have still been recalled to avoid further tampering with the registry and further spreading of the infected eslint-scope package. Users have also been urged in the official statement from CJ Silverio to make use of the two factor authentication in place to prevent such malicious pushouts from happening in the future.

After every such open source attack on code, the developer’s community takes a step back in fear but in the various blog posts and editorials arising on the tech community front since the malicious attack, developers are urged to brave such incidents out to hold fast to the integrity with which open source libraries have been created for the benefit of all developers. NPM users are urged to continue forth and honor the spirit with which the open source project was initially established. If users employ all the security measures provided to them to safeguard the libraries, an attack like this will not be given any opening to occur again.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.