Today we're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.
Feross Aboukhadijeh
June 15, 2022
Today we're excited to announce the 1.0 release of Socket for GitHub – we're finally out of beta! We're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.
Does 1.0 mean Socket for GitHub is completely bug-free? Not yet. Does it mean it is feature-complete? Certainly not. There's still a long journey ahead to make Socket even more stable and powerful. But 1.0 is a recognition that we've come a long way.
For those not familiar, here's a quick review of how Socket for GitHub works:
Socket watches for changes to “package manifest” files such as package.json, package-lock.json, and yarn.lock. Whenever a new dependency is added in a pull request, Socket analyzes the package's behavior and leaves a comment if it is a security risk.
In this real example from a user's repo, Socket helped a developer to catch a potentially costly mistake when they installed the wrong package:
The most common feedback we've received from users is that they'd like Socket to detect more issues beyond the typosquat detection that we launched with.
We're happy to share that in 1.0, we're upgrading Socket for GitHub to detect 5 additional supply chain security issues. If you've already installed Socket, you will automatically get these improvements – no need to take any action.
Socket for GitHub adds support for 5 more package issues#
Starting today, Socket will automatically monitor GitHub pull requests for these software supply chain risks:
Install scripts
The npm package manager allows a package to specify an "install script" – an arbitrary shell command – that will run immediately when a package is installed. Install scripts are commonly used to build native code, print donation banners, or do other post-install tasks. However, this (anti-)feature is quite easy to abuse.
The vast majority of malware on npm uses an install script to deliver its payload. In fact, a 2022 paper found nearly 94% of malicious packages had at least one install script.
NUSRAT ZAHAN, ET AL
Despite the pervasive use by malware, install scripts are in fact quite rare across the npm ecosystem. Most apps have only a handful of dependencies that use this powerful feature.
Socket can now identify when a newly-added package contains an install script, or more worryingly, when a new version of an existing package introduces a new install script. When Socket identifies a new install script – a relatively rare and highly suspicious event – it will alert the developer via a GitHub comment so they can evaluate whether the install script is safe.
In this real example from a user's repo, Socket detected that the popular styled-components package decided to add a "protestware" install script in version 5.3.5:
To help the developer investigate, Socket helpfully includes a link to the exact script that will run in the installation step.
In this case, the install script is a benign instance of protestware, though some protestware is much more destructive.
Telemetry
Websites or apps often include a telemetry system that collects data about how users interact with a product. This data can help improve the product, catch bugs, or even detect abuse. While telemetry in apps is relatively common, telemetry in open source packages is quite unusual.
We've heard from our users that they do not expect their dependencies to be collecting telemetry and sending it off to remote servers. Unfortunately, telemetry in open source dependencies is becoming more common.
Socket can now detect packages that collect telemetry, alert the developer, and provide actionable information about how to disable the telemetry.
In this real example, Socket detected that a newly introduced dependency, angular-calendar, is collecting telemetry:
Socket helpfully identifies the package collecting the telemetry, @scarf/scarf, and provides information on how to opt-out of the telemetry system.
Teams can now use Socket to keep dependencies that collect telemetry out of their codebases, or disable the telemetry functionality.
Native code
Packages which contain native code, i.e. compiled executable files, are rare on npm, but there are some. Native code is often used in packages that interface with a database, are performance-critical, or provide JavaScript bindings around native code.
From a security perspective, native code is not ideal. Packages that include binaries are harder to audit since the source code may not be available, and you may need a binary disassembler to understand the package behavior. To complicate matters, packages may include different binaries for each supported platform and processor architecture. Worse still, a malicious actor may use native code to obscure their malware from JavaScript static analysis tools such as Socket or ESLint.
At a more fundamental level, native code may prevent a package from running in certain environments such as browsers, Vercel Edge Functions, Cloudflare Workers, or Deno.
Socket can now detect packages that contain native code and alert the developer, providing actionable information about how to disable the native code in cases where it's optional.
This detection also finds packages which do odd things, such as turning async functions into sync using a native code dependency like deasync.
Known Malware
When Socket confirms that a package contains malware, we report it to npm and add it to our list of known malware on npm. Our #1 priority is getting the malware removed from npm to protect the JavaScript ecosystem, whether those users use Socket or not.
While npm is investigating the package, the malware remains available on npm.
Socket can now protect users from known malware by detecting when a bad package version is installed and reporting it to the developer directly in a GitHub pull request. The Socket CLI (coming soon!) will also give developers a way to protect their own devices from known malware by intercepting bad npm install commands.
Related: Socket tracks packages removed from npm for security reasons which is quite interesting to look through. It's also a great way to see what package issues Socket would have detected in real historical instances of npm malware.
Troll Packages
npm contains many packages which are low-quality, jokes, parodies, or otherwise contain code not meant to be used in production.
For example, there's a package called bowserify that's a Bowser-themed version of browserify. This parody package makes a few changes to the package such as including an image of Bowser (yes, the Nintendo character) and adding extra code into any JavaScript bundle that it produces – yikes!
Some npm packages are named in a way designed to trick or confuse users, such as the package standardjs which is designed to confuse users of standard. Other packages, such as - (yes, the actual package name is a dash character), are frequently installed by accident when a user typos a command line flag to npm install.
Socket can now protect users from misleading packages like these by reporting them directly to the developer inline in a GitHub pull request.
Typosquats
Of course, Socket for GitHub continues to support typosquat detection and we've continued to improve its reliability.
Users have asked us to make it clearer that Socket is installed correctly and actively protecting pull requests. So, we've done that with the help of the GitHub Checks API.
Socket now shows a "GitHub Check" on pull requests, indicating that the progress and results of the Socket analysis.
We selected these package issues – out of the 70+ issues that Socket supports – to bring to Socket for GitHub because we believe they're high-signal and high-confidence, with few false positives. We are always working on improving and extending our analysis to improve coverage and increase reliability.
We will continue to add more detections in future releases. Next up on our list is detecting network access, filesystem access, shell access, environment variable access, obfuscated code, and more. We'll release these in Socket for GitHub soon.
We are so grateful to the users, customers, and advisors who have supported us so far.
Today it is far too easy for a malicious actor to infiltrate the software supply chain. By installing Socket for GitHub, you're taking a concrete step to meaningfully improve your dependency security while getting package insights that help you write better software.
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.
Socket researchers found a malicious Maven package impersonating the legitimate ‘XZ for Java’ library, introducing a backdoor for remote code execution.