In the interconnected world of web development, open-source components play a vital role, facilitating collaboration and code sharing within the developer community. However, recent incidents have exposed vulnerabilities in the supply chain, with malicious actors leveraging open-source content delivery networks (CDNs) to serve dangerous packages even after they have been flagged and removed from package registries.
NPM Registry: A Playground for JavaScript Package Sharing
NPM (Node Package Manager) has long been the go-to package manager for the JavaScript programming language and the default choice for Node.js projects. With over a million open-source JavaScript packages available in its centralized registry, NPM enables developers to easily install, manage, and share code packages. To safeguard developers, NPM employs security measures like automated vulnerability scanning, advisories, and the ability to audit installed packages for known security flaws.
jsdelivr CDN: A Global Content Distribution Hub
jsdelivr, an open-source content delivery network, offers a fast and reliable way for developers to host and distribute files, including external libraries and resources for web projects. Operating as a global CDN with servers distributed worldwide, jsdelivr ensures that files are fetched from the server closest to the user’s location, optimizing performance and reducing latency. Its support for versioning allows developers to reference specific library versions, ensuring project stability amid updates.
Malicious Package Reactenz Exploits CDN Vulnerability
The recent discovery of the malicious package “reactenz” brought attention to a concerning flaw in the system. The package masqueraded as a legitimate alternative to the popular “react-enzyme” package, used widely in GitHub code snippets. However, upon further investigation, it was revealed that “reactenz” harbored a malicious intent.
Once integrated into a web page, “reactenz” downloaded an encoded .txt file from the jsdelivr CDN service and de-coded it as HTML. The content of the .txt file turned out to be a classic phishing HTML code, designed to trick users into resetting their Microsoft passwords and stealing their updated credentials. What’s particularly troubling is that “reactenz” was still accessible through the CDN even after being marked as malicious on NPM.
CDN Vulnerabilities and Supply Chain Attacks
This incident exposes two critical issues. First, while NPM attempts to remove malicious packages swiftly, the content served through the CDN remains accessible long after detection. Second, threat actors can leverage CDN services to serve malicious content while evading conventional security tools, which often monitor web downloads for potential malicious indicators.
Another alarming discovery was the malicious package “standforusz,” which remained accessible through the jsdelivr CDN, even a month after being marked as malicious on NPM. A similar case was found with the package “markedjs,” which was identified as malicious more than a year ago but still had accessible malicious components on the CDN.
Collaborative Security Efforts
In a blog post, Ori Abramovsky, Head Of Data Science Check Point CloudGuard said that researchers promptly reported the findings to NPM and jsdelivr, leading to the removal of the malicious packages and content from their platforms. However, this incident emphasizes the ongoing risk posed by open-source components, urging developers to be vigilant and verify the integrity of their dependencies.
Addressing the supply chain attack risks requires a collective effort from the developer community. Developers must exercise caution when using open-source packages, verify their authenticity, and adopt secure development practices. Security tools and package registries also need to strengthen measures to prevent supply chain attacks and promptly remove malicious packages.
In conclusion, the recent exploit of the jsdelivr CDN underscores the need for continued vigilance and collaboration in the open-source community. By maintaining a secure development process and staying informed about potential risks, developers can work together to protect the integrity of their projects and the safety of end-users.