How To Secure NPM Packages From Getting Hacked?

In the web development world, using and sharing reusable build-blocks is a common thing. With NPM, adding new open source packages to application is simple and more accessible than ever. There are 1.5  million packages available in the npm registry and up to 90% of the code in modern apps is open source code developed by others. With such a huge number of npm packages it is obvious that hackers can attack with malicious intent. And nowadays lots of developers are claiming that npm packages are getting hacked. So here we came with some best practices for npm package security. Let’s have a look.

Top 7 Best Practices For NPM Security-

1. Use NPM Author Tokens-

When you log in with npm CLI, token is generated for your user and authenticates you to the npm registry. Token eases npm registry related actions during CI and automated procedures like accessing private modules on registry or publishing new versions from build step. Tokens can be managed via npm registry website and using npm command line client. Let’s have a look at the example of using CLI to create read-only token which is restricted to a particular IPv4 address range-

$ npm token create --read-only --cidr=192.0.2.0/24

So as to verify which tokens are generated for user or to revoke tokens for emergencies, you can use npm token list or npm token revoke resp. You must check that you are following this npm security best practices by protecting and minimizing the exposure of npm tokens.

2. Enable A Dependency Firewall To Block Packages At The Door-

Being notified is vital, however most of the time it’s far better to block the awful packages at the entryway. It is recommended to set up a code supply chain which restricts packages from being added to your private registries if they have not been scanned, are insecure or contain specific restrictive licenses.

3. Use Local NPM Proxy-

Npm registry is the largest collection of packages available for all Javascript programmers and is also the home of most Open source projects for web developers. But, sometimes you may have various requirements as far as security, deployments or performance. When it’s true, npm enables you to switch to a different registry:

When you run npm install, automatically it starts a communication with main registry to resolve all dependencies; if you want to use different registry, it also simple-

• Set npm set registry to set up default registry.
• Use argument –registry for single registry

Verdaccio registry is a simple lightweight zero-config-required and installing it is also simple with –

$ npm install --global verdaccio

Hosting own registry was never simple. Let’s have a look at most important features of this tool:

• It supports npm registry format including private package features, package access control, scope support and authenticated users in the web interface.
• It gives abilities to hook remote registries and the ability to route every dependency to various registries and caching tarballs. You should proxy all dependencies so as to reduce number of duplicate downloads and save bandwidth in local development and CI servers.
• If project is Docker based, then use of official image will be the best choice
• As an authentication provider by default, it makes use of htpasswd security, and also supports Gitlab, LDAP, Bitbucket. 
• It is easy to scale using various storage provider.

It is easy to run:

$ verdaccio --config /path/config --listen 5000

If you’re using verdaccio for a local private library, consider having a configuration for your packages to uphold publishing to the local registry and avoid accidental publishing by developers to a public registry. To accomplish this add the following to package.json:

“publishConfig”: {
  “registry”: "https://localhost:5000"
}

To publish a package, use the npm command npm publish.

4. Ignore run-scripts To Reduce Attack Surfaces-

Npm CLI works with package run-scripts. If you’ve ever run start or npm test, you’ve used package run-scripts also. Npm CLI builds on scripts which a package can declare and allows packages to define scripts to run at particular entry points during the package’s installation. For instance, some script hook entries may be postinstall scripts that a package that is being installed will execute so as to perform housekeeping tasks.

Due to this capability, bad actors may create or modify packages to perform malicious actions because of running any arbitrary command when the package is installed. A few situations where this is a popular eslint-scope incident that harvested npm tokens, and the crossenv incident, with 36 other packages that abused a typosquatting attack on the npm registry.

Apply npm security best practices so as to reduce the malicious module attack surface:

• While installing packages, ensure to add the –ignore-scripts suffix to disable the execution of any scripts by third-party packages.
• Hold-off on upgrading blindly to new version, sometimes allow new package versions to circulate before trying.
• Before you upgrade, ensure to review changelog and release notes for upgraded version.

5. Enforce The Lockfile-

Know more at- https://solaceinfotech.com/blog/how-to-secure-npm-packages-from-getting-hacked/