The JavaScript npm registry has a manifest confusion vulnerability which can allow the installation and execution of malicious files without the user’s knowledge. The attackers can do this by including a dependency that won’t show up on the npm website, but will be installed by the command line installer. This software supply chain vulnerability is due to the npm public registry not validating manifest information with the contents of the package tarball, and there being an assumption that the contents of the manifest and tarball are consistent. As a result of this, any tools using the public registry are susceptible to exploitation. Such attacks are also difficult to detect as most software composition analysis tools rely on the manifest information to generate dependency graphs.
https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
https://www.theregister.com/2023/06/27/javascript_registry_npm_vulnerable/
This segment was created for the It’s 5:05 podcast