node.jsnpmnpm-installmalware

How to restrict NPM installs


When discussing a recent malware attack using a popular NPM package (and after removing this package from our code base), I started to research on ways to restrict npm install commands. So far I have not found any way to restrict what a developer can install.

There are two reasons why this would benefit everyone:

  1. Have a further layer of protection against malicious packages getting installed.
  2. Avoid packages getting unintentionally installed when the package name was typo'd

Regarding #1, the idea is that each team could create an approved list of package names that could be checked against before npm install actually runs - essentially creating some type of review process for npm packages.

Regarding #2, our team was actually impacted by having this package removed on NPM - but the only reason we ever had this dependency is because a package was installed by accident and went unnoticed for a while. Here's what I think happened:

  1. Developer wanted to install a package and intended to type npm install --save somepackagehere (notice the dash dash)
  2. Developer accidentally typed npm install save (no dash dash), thus installing the save npm package which has a dependency on event-stream, which had a dependency on flatmap-stream.

Node Version: 9.9.1

NPM Version: 6.4.1


QUESTION

Is there an existing way to achieve what I've described above that is not dependent on a manual code-review?


Solution

  • Some situations require more security and as talked about in this article (in point 6. Use a local npm proxy) you can create your own npm registry and only pull allowed packages and versions from there.

    In most cases I do believe it is unnecessary however if your situation calls for this edge case it is possible.

    https://snyk.io/blog/ten-npm-security-best-practices/