Skip to content

Instantly share code, notes, and snippets.

@jimmycann
Created August 2, 2017 22:19
Show Gist options
  • Save jimmycann/060afbd21e8321e3a38bb74363f3e4eb to your computer and use it in GitHub Desktop.
Save jimmycann/060afbd21e8321e3a38bb74363f3e4eb to your computer and use it in GitHub Desktop.
Check for malicious NPM dependencies

Check for malicious dependencies

Take a look through a package.json file for any packages known to be malicious. Will check both the dependencies and devDependencies fields.

Why?

Based on this tweet by @nodesecurity https://twitter.com/nodesecurity/status/892775462371381248, there currently exists a hole where users can publish malicious packages intent on stealing environment variables on install.

A quick one liner to check for these packages, accompanied by more detail on the issue, has been posted by Ivan Akulov at https://iamakulov.com/notes/npm-malicious-packages/. This script has been created for all of our friends on an OS that might not be able to run the command listed.

For reference, here is the command

npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"

Usage

Copy this script into the folder where your package.json is located. It can be called anything you like with the extension .js. In this example, I'm going to call it checkMalicious.js

Then it's a case of running the script with node.

node checkMalicious.js

Notes

This is a short-term solution until something more robust is put in place by NPM. It's limited in functionality and the list of malicious dependencies is more than likely incomplete.

If there are people who think this is useful, more than happy to extend functionality.

const fs = require('fs');
const malicious = [
'babelcli', 'crossenv', 'cross-env.js', 'd3.js', 'fabric-js', 'ffmepg', 'gruntcli', 'http-proxy.js', 'jquery.js', 'mariadb', 'mongose', 'mssql.js', 'mssql-node', 'mysqljs', 'nodecaffe', 'nodefabric', 'node-fabric', 'nodeffmpeg', 'nodemailer-js', 'nodemailer.js', 'nodemssql', 'node-opencv', 'node-opensl', 'node-openssl', 'noderequest', 'nodesass', 'nodesqlite', 'node-sqlite', 'node-tkinter', 'opencv.js', 'openssl.js', 'proxy.js', 'shadowsock', 'smb', 'sqlite.js', 'sqliter', 'sqlserver', 'tkinter'
];
const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
Promise.all([
checkMalicious(pkg.dependencies),
checkMalicious(pkg.devDependencies)
])
.then(res => res.map((r, i) => logResult(r, i === 0 ? 'dependencies' : 'devDependencies')))
.catch(e => {
console.error(e);
process.exit(1);
});
function checkMalicious(deps) {
return Object.keys(deps).filter(d => malicious.includes(d));
};
function logResult(res, type) {
if (res.length === 0) {
return console.log(`${type}\n\u2713 Does not contain any malicious packages known to this script\n`);
}
return console.log(`${type}\nContains the following malicious packages:\n`, res, `\nThese packages should be removed immediately and all secrets in your environment variables should be reset.\n`);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment