What are Weak Links in the npm Supply Chain?

by   Nusrat Zahan, et al.
NC State University

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650 Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata. In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.


page 1

page 2

page 3

page 4


Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks

A software supply chain attack is characterized by the injection of mali...

Measuring and Preventing Supply Chain Attacks on Package Managers

Package managers have become a vital part of the modern software develop...

A Review of Attacks Against Language-Based Package Managers

The liberalization of software licensing has led to unprecedented re-use...

Software Supply Chain Attribute Integrity (SCAI)

The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"...

The Hitchhiker's Guide to Malicious Third-Party Dependencies

The increasing popularity of certain programming languages has spurred t...

Patterns of Effort Contribution and Demand and User Classification based on Participation Patterns in NPM Ecosystem

Background: Open source requires participation of volunteer and commerci...

Automatic link extraction: The good, the bad and the ugly in software ecosystem mining

This abstract presents the automatic link extraction pitfalls based on o...

Please sign up or login with your details

Forgot password? Click here to reset