“Manifest confusion” in NPM is no longer scary, enthusiasts solved the problem on their own
A new Python-based tool will reveal any hidden dependencies in popular repository packages.
Last week we wrote that Darcy Clark, former development manager at GitHub And NPM, warned the developer community about the “manifest mess” issue, which could create a risk of dependencies hiding malware or executing scripts during installation.
Vulnerability Manifest Confusion refers to a security issue in the NPM repository that the package manifest data displayed on the NPM package page does not match the data present in the same package’s “package.json” file.
Due to the inconsistencies described above, potential attackers can manipulate the manifest data of downloaded packages, removing certain scripts or dependencies so that they do not appear in NPM, but are present in the packages themselves.
This issue potentially exposes many developers to risks such as cache pollution, installation of unknown dependencies, execution of unknown scripts, and possibly even downgrade attacks.
Since the NPM leadership has yet to address this issue and it’s not clear what the platform is planning to do at all, Clark suggested that package developers remove the dependency on manifest data and use a registry proxy to check data consistency. The solution is not the most convenient, but until recently the only working and safe one.
To use the tool, you first need to install the Python PIP package manager using the “pip install -r requirements.txt” command. And to check the package, you need to pass its name to the script as the first argument. For example: “$./npm-manifest-check.py darcyclarke-manifest-pkg”. The final output will highlight any inconsistencies in version, dependencies, scripts, and package name between the manifest and the actual package.json file.
To check multiple packages, you can add them to the “packages.list” file (one package per line) and use the “check_packages.sh” wrapper to check them. The tool will report any inconsistencies found in each of the checked packages. And to understand all aspects of using the Pankratz tool, you can get help using the “./npm-manifest-check.py -h” command.
Manifest confusion is not yet a widespread or critical problem in the NPM community, but it is not safe to ignore it, as attackers can use it to attack the supply chain at any time.