/plushcap/analysis/snyk/snyk-supply-chain-string-width-cjs-npm

The mysterious supply chain concern of string-width-cjs npm package

What's this blog post about?

A potential supply chain attack was discovered when a developer noticed an unfamiliar syntax change to the package manifest of the cliui npm package. The proposed changes involved using an "npm:" prefix syntax, which is part of the npm package manager's aliasing feature. This feature allows custom resolution rules for packages and can be abused in cases like supporting ESM vs CJS. The developer employed lockfile-lint to examine the pull request and found suspicious behavior concerning malicious modules. Further investigation revealed that these suspicious packages existed on the public npm registry, had empty code repositories, were published anonymously without any associated personal information, and had a large number of dependents despite not doing anything. The developer concluded that this could be part of a supply chain security campaign or spam and abuse of public registries like npm and GitHub to mine for Tea tokens. It is recommended to adopt security practices while working with open-source software to ensure code safety.

Company
Snyk

Date published
Oct. 3, 2024

Author(s)
Liran Tal

Word count
1455

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.