The mysterious supply chain concern of string-width-cjs npm package
A potential supply chain attack was discovered when a developer noticed an unfamiliar syntax change to the package manifest of the cliui npm package. The proposed changes involved using an "npm:" prefix syntax, which is part of the npm package manager's aliasing feature. This feature allows custom resolution rules for packages and can be abused in cases like supporting ESM vs CJS. The developer employed lockfile-lint to examine the pull request and found suspicious behavior concerning malicious modules. Further investigation revealed that these suspicious packages existed on the public npm registry, had empty code repositories, were published anonymously without any associated personal information, and had a large number of dependents despite not doing anything. The developer concluded that this could be part of a supply chain security campaign or spam and abuse of public registries like npm and GitHub to mine for Tea tokens. It is recommended to adopt security practices while working with open-source software to ensure code safety.
Company
Snyk
Date published
Oct. 3, 2024
Author(s)
Liran Tal
Word count
1455
Language
English
Hacker News points
None found.