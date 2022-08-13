Manipulated npm with malicious code are becoming an increasing problem. would like to make the authenticity of the packages verifiable in the future.

Attacks on the software supply chain are a growing problem. In June of this year, Python packages with a backdoor were discovered in the Python Package Index PyPI, in July 1200 modules with a cryptominer in the Javacript repository npm, and in early August packages with ransomware in PyPI.

The fact that npm and PyPI are particularly under attack is probably due to the fact that JavaScript and Python are currently being used a lot and it is common in both ecosystems to use numerous external modules: New web projects typically start with npm install data science projects mostly with pip install .

The npm registry, which has been operated by the Microsoft subsidiary GitHub since 2020, has been exposed to targeted attacks for years. In 2018, for example, a manipulated version of the popular EventStream library stole bitcoins. In November 2021, the npm packages coa and rc were provided with a trojan via a compromised maintainer account – both packages together have over 20 million downloads per week. As a consequence, GitHub announced the introduction of mandatory 2-factor authentication.

More security for npm packages

With its latest proposal for protecting npm packages from tampering, GitHub wants to establish a fixed connection between the npm package offered for download and its verifiable source code, without developers having to handle cryptographic signatures themselves or revealing personal information such as their email address. First is to connect with the command npm audit signature have it checked, later this could be done automatically for everyone npm install happen.

This connection, which would protect against attacks such as those on coa and rc, is said to be provided by the open source software Sigstore from the Linux Foundation and Open Source Security Foundation. Red Hat, Google and Purdue University, among others, are involved in its development. The RFC “Link npm packages to the originating source code repository and build” explains in detail how package signing should work and what role Sigstore plays in it. Now GitHub is asking for feedback from the community.