Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

Native code

Severity

Medium

Short Description

Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior.

Packages

View packages with this alert.

Suggestion

Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Information

The "Native Code" alert on Socket indicates that the package you're examining includes native code, which is code written in low-level languages like C, C++, or Rust, often compiled to machine code that runs directly on the hardware.

There are a number of ways native code can introduce complications and concerns:

Potential Risk: Native code can be more risky compared to high-level languages (like JavaScript) because it interacts directly with the system's hardware, making it more susceptible to certain types of vulnerabilities, such as memory corruption issues (e.g., buffer overflows).

Security Concerns: Packages with native code might introduce security risks if the code is not well-audited or if it comes from untrusted sources. Attackers may exploit vulnerabilities in native code to gain unauthorized access to systems or data.

Compatibility Issues: Native code can also lead to compatibility issues across different operating systems and environments, as it may require specific system dependencies or configurations.

Recommended actions

Confirm Native Code is Necessary:

  • Ensure that the native code bindings are expected and essential for your project. If native code isn’t critical, consider whether it can be avoided to reduce risks.

Consider Pure JavaScript or Alternative Libraries:

  • Look for pure JavaScript libraries or alternatives that provide the same functionality without relying on native code. These alternatives can reduce complexity, improve cross-platform compatibility, and mitigate security risks.

Weigh the Trade-offs:

  • If native code is required, carefully evaluate the benefits versus the added complexity and security risks. Use native code only when it offers significant advantages that can’t be achieved with JavaScript alone. Using native code will require more manual auditing.

Examples

Here is an example package that uses native code:

In this example, the package was flagged because of the win_delay_load_hook is a mechanism in Windows that helps handle situations where a DLL is delay-loaded (i.e., loaded only when it's first called). By setting win_delay_load_hook to false, the delay-load helper function is disabled, meaning the default exception handling for delay-loaded DLLs is bypassed.

"win_delay_load_hook": "false"

In this instance, disabling this hook could make the application more vulnerable to issues arising from delay-loaded DLLs not being properly handled. Attackers might exploit this setting to cause a delay-load failure, which could potentially lead to vulnerabilities like privilege escalation or code execution. Disabling this mechanism might also introduce instability.

Detection Method

This alert only applies to the JavaScript and Typescript ecosystem. Socket flags npm packages that contain native code by analyzing the content of the package to detect the presence of compiled or low-level code.

Additional resources

Node.js Documentations C++ addons

Mozilla Developer Network (MDN) - WebAssembly (Wasm) and JavaScript

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc