When developers want to include packages from npm in their code, they list them in a file called
package.json, specifically in a field called
bin. Entries in that field map a command name to a local file name in the
./node_modules/.bin/ directory in the developer’s project folder. Npm can overwrite those files with new versions as part of its management activities.
Security researcher Daniel Ruf found two vulnerabilities in the npm CLI after some lateral thinking, exploring how malicious packages might harm a system. He published the results of his work in a blog post last Thursday that highlighted two vulnerabilities.
One of these flaws (see the official npm advisory) allowed an attack known as binary planting. Versions of the npm CLI prior to 6.13.3 allow packages to access folders outside the intended folder by manipulating paths in the bin field. It allows an attacker to overwrite a clean file with a malicious one anywhere on the user’s system, or to create a new file where one didn’t exist before.
A second vulnerability exists in bin-links, which is an npm package that manages links from the bin field to the file in
./node_modules/.bin/ , and which the npm CLI also includes. It uses a symlink (symbolic link) to manage these files. A symlink is a file that links to another file or directory using its file path. Bin-links allowed packages to overwrite the symlink, even if they hadn’t created it.
/usr/local/bin directory. That’s significant because this folder houses most programs that a normal user might run.
To exploit these vulnerabilities, an attacker would have to persuade a user to install a file using an appropriately crafted bin entry, but this is entirely possible, according to npm.
What to do
Npm fixed them and warned people in a blog post that they should update their npm CLI now to version 6.13.4.
It also said that while it had scanned all packages in its npm registry for bugs and found them clean, that doesn’t give every package a clean bill of health, explaining:
We cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.
It might also be worth checking the
bin field in your projects’
package.json files for any dodgy-looking file paths.