fishing in nodejs application warehouse

Posted by lipsius at 2020-02-27


The castle is always broken from the inside. No matter how powerful the system is, it has to be controlled by people. If the invasion is launched directly from the human link, then the most solid defense line will become a decoration.

Let's share an example of using application warehouse to penetrate into the system of developers.

Application Repository

The application warehouse is no longer familiar to developers. Apt get, brew, yum, NPM... Is just a command-line version of app store, which is convenient for the installation of various tools and dependency libraries.

They all have the same general principle. Today, I'm going to talk about NPM, the nodejs application warehouse.

NPM platform

If nodejs can only run on a single machine, it is almost like Wscript. Fortunately, the emergence of NPM platform enables the whole community to interact.

Developers can install the required library through NPM, and users can also install the project through it. So in just a few years, tens of thousands of nodejs projects have been released to NPM, and tens of millions of downloads every day. Is there any potential safety hazard for such a large user group?

Warehouse tampering

The easiest thing to think of is that the NPM account was stolen. Once the password is revealed, the attacker can release a new version of the project. Once the normal user updates, a malicious script program is installed.

However, it is not easy to obtain platform account. And projects with high activity are tampered with and will soon be discovered.

Warehouse fishing

It's not reliable to change someone's things. You can only use your own. But the projects that you create from scratch are unpopular, so try to lure some users over.

An attacker can take a name similar to the active item. For example, the popular uglify JS can fake a Li Gui named uglifyjs. Once the user misspells the word, the fake item is installed.

In order to prevent users from discovering, you can clone the original project directly, so that users can use it exactly the same as the normal version, and it is difficult to find the flaws in it. Then do some tricks in some hidden modules. Once the user runs the script, the devil will be released!

Compared with the traditional malicious programs, nodejs, a newly emerging and highly flexible language, has much less defense programs.

Intrusion during installation

If the user finds that he has installed the wrong project and uninstalled it before it is running, is it impossible to invade it?

In fact, NPM provides extremely powerful functions, and can even execute additional commands at installation time.

In the scripts field, you can define command extensions for each stage.


For example, postingstall can be executed after the warehouse package is installed.


In this way, as long as users shake their hands when typing NPM install XXX, the system may be intruded.

It sounds like a bit of a fantasy. However, after testing, the copycat version of an active project also has dozens to hundreds of installations per day (misinstallations ~). Although the number is small, less than a fraction of the original, but are potential high-quality users.

Most of them are developers. Once the system is controlled, it can penetrate into the enterprise intranet.

Persistent invasion

Once the developer's system is controlled, the consequences are far more serious than expected. In addition to all kinds of information leakage, there will be more terrible things.

Take uglify JS as an example. If developers install the phishing version, what will happen?

As it is a compiler like compression tool, it turns the tested source code into an unreadable black box program - which is probably the last step before going online. If this link is manipulated by hackers, then even if the source code has passed the audit, it is difficult to escape the evil hand.

Perhaps, the phishing tool will insert a hidden XSS into the compressed script, which is hard for developers to find without careful inspection. Once the script is released, thousands of users will suffer online.

The attacker attacked the fortress directly from the source without a single soldier.

Of course, not only can you infect the web, other clients are more likely. Some open source libraries, or header code, which are rarely concerned, may be the hiding place of malicious code.

Fishing promotion

After all, there are only a few wrong users. In order to increase the amount of infection, attackers will actively promote their own fishing programs.

Of course, this kind of promotion will not be so obvious that others can not even feel the real intention.

Attackers can reprint some recent popular articles and replace the demo address with their own phishing project. Therefore, the spectators who came to the audience tried it out without any precaution and were quietly controlled.

Or more directly, promote your own projects in forums or social circles, and add some bright and blind words and cool pictures. So some people with strong curiosity just fell into the arms of the attacker.


In addition to NPM, other application warehouses that do not need to be audited may be at risk of phishing projects.

Therefore, you should be very careful when installing. Forget the name of the project, must verify before installing.

At the same time, for some projects with unknown sources, it is also prudent to try. After all, installing a project is the same as opening an application directly!