In regards to recent NPM registry manifest confusion blog post: https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
Snyk was made aware of the blog on June 28th, 2023. Snyk took immediate action to review the claims made in the post and assess product areas that could be impacted. Snyk’s systems are not affected, we are not making any product changes in response and have guidance below for your use of NPM.
We have contacted NPM Support to understand if they are taking action to address the Manifest Confusion issue at the registry level. As of the time of posting this, we have not yet had a response from NPM Support.
Snyk is regularly researching and flagging malicious packages and adding these to our vulnerability database. Any malicious packages we identify exploiting Manifest Confusion will be added to Snyk’s Vulnerability Database. We will issue further updates and guidance should any additional actions become known.
Guidance for Development Teams
Snyk has identified two potential attack vectors for Manifest Confusion when using the NPM registry:
- Injecting hidden install scripts
- Injecting hidden transitive dependencies
We recommend that customers immediately take the following preventative actions to minimize the risk of each of these attack vectors:
- Utilize NPM version 7 or above.
- Avoid combining the following npm install options:
npm install --prefer-offline --no-package-lock
Additionally, you can utilize Snyk Open Source to detect known malicious NPM packages.
Please reach out to our Support team for additional assistance.