Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
August 22, 2024
The ubiquity of trivial packages, particularly in the JavaScript ecosystem, is driven by the inertia of the industry's focus on modularity and code reuse, as developers increasingly rely on pre-existing solutions for efficiency.
These small, often single-function packages are pervasive, with developers relying on them for even the most basic tasks. While they offer convenience and faster development, the sheer volume of trivial packages also introduces challenges, including dependency bloat and potential security vulnerabilities. As the ecosystem grows, it’s essential to critically evaluate the necessity and impact of these packages on the overall software supply chain.
The concerns associated with trivial packages are exemplified in the Left-pad incident, which had a cascading negative impact on open source supply chains. The incident involved “Left-pad,” an npm package with 11 lines of code that included a function that adds extra space to the left side of a string of text.
Following an unrelated naming dispute of another one of his modules in the registry, Left-pad author Azer Koçulu decided to delete all of his nearly 300 packages in protest.
Left-pad had been downloaded nearly 2.5 million times in the month prior to it being unpublished. The package became widely known due to its impact as a transitive dependency of Babel, a popular JavaScript transpiler. When Left-pad was unexpectedly removed from npm, it caused many projects that relied on Babel, which in turn depended on Left-pad, to break. This included most major websites, like Facebook, Netflix, and Airbnb.
While other developers quickly filled the gap with new packages that performed the same function, the 2016 incident demonstrated the fragility of the open source ecosystem and the potential for small, seemingly insignificant packages to disrupt critical infrastructure when removed or compromised.
You might be surprised to know that there are several studies and research papers examining the impact of trivial packages on the software ecosystem. Nearly all of them focus on npm and reference the left-pad incident, but trivial packages are an issue in the Python ecosystem as well.
In 2020, researchers at at Concordia University published a paper "On the impact of using trivial packages: an empirical case study on npm and PyPI,” which explored some of the differences in the two most popular open source ecosystems. The research mines more than 500,000 npm packages and 38,000 JavaScript applications and more than 63,000 PyPI packages and 14,000 Python applications to study the prevalence of trivial packages. They also surveyed 125 developers who use trivial packages.
At that time, trivial packages, those which have ≤ 35 lines of code and a McCabe’s cyclomatic complexity of ≤ 10, made up between 16.0% to 10.5% of the studied platforms.
In a previous study, the researchers found that JavaScript developers generally use trivial packages because they believe these packages provide them with well tested and implemented code but they are concerned about the management of extra dependencies. In some cases trivial packages can have their own dependencies, increasing the overhead.
In their followup research that includes PyPI, they found Python developers share many of the same reasons for using trivial packages, such as the ability to take advantage of well-implemented, maintained, and tested code, increased productivity, better performance, improved readability, and reduced complexity.
In contrast, the sentiment around trivial package use differs across the two ecosystems:
Only 23.9% of JavaScript developers considered the use of trivial packages as bad, whereas, 70.3% of Python developers consider the use of trivial package as a bad practice.
Despite the perceived benefits of re-using simple, modular packages, developers surveyed in this research cited a number of drawbacks to using trivial packages:
Dependency Overhead: Trivial packages can lead to complex dependency chains, often referred to as 'dependency hell,' making it harder to manage and update projects.
Application Breakage: Applications can break if a trivial package or version becomes unavailable or has a breaking update.
Decreased Performance: Additional dependencies can slow down build and run times, affecting overall performance.
Slower Development: Trivial packages can slow development if developers need to spend time understanding unfamiliar packages.
Missed Learning Opportunities: Relying on trivial packages may reduce developers' understanding of core language concepts.
Security Risks: Trivial packages can introduce security vulnerabilities, making applications more susceptible to attacks.
Licensing Issues: Trivial packages may come with licensing conflicts, potentially causing legal issues.
Researchers also found that although trivial packages appear to be ‘deployment tested’ and to have similar test, usage and community interest as non-trivial packages, only around 28% of npm and 49% PyPI trivial packages have tests.
A significant number of these trivial packages also come with many dependencies. Researchers found that 18.4% and 2.9% of the studied trivial packages have more than 20 dependencies in npm and PyPI, respectively. Nearly half (43%) of trivial npm packages and 36.8% of trivial PyPI packages have at least one dependency.
Based on these findings, the researchers concluded that developers should not assume that trivial packages are well-tested and implemented. Developers should also be aware that using these packages can increase the dependency overhead of their applications.
Socket flags trivial packages as a medium severity alert under the supply chain category. These are packages that contain less than 10 lines of code. For example, here is a package that provides two basic mathematical operations: addition and multiplication.
Many trivial packages contain operations like this that are simple enough to be easily implemented directly in your code without the need for an external dependency. Relying on a package for such basic functionality can be unnecessary and often adds bloat to your project.
Every dependency you add to your project increases your attack surface, even if the package itself is small. Trivial packages may also bring in their own dependencies. By including these packages, you expose your project to potential supply chain attacks, trusting more maintainers and codebases without significant benefit.
If you receive the Trivial Package alert, in many cases it will be safe to ignore, but using trivial packages blindly can pose numerous risks. The JavaScript ecosystem makes extensive use of these small packages, but if you can reduce your reliance on them, it will also decrease your attack surface. Here are a few recommendations:
Evaluate Necessity: Determine if the package truly adds value or if the functionality can be implemented directly within your project.
Check Dependencies: Review the package’s dependencies to ensure they don't introduce unnecessary complexity or risks.
Verify Security: Assess the package for potential security vulnerabilities, especially if it has few maintainers or limited testing.
Minimize External Dependencies: If possible, replace trivial packages with your own code to reduce your attack surface and increase control over your codebase.
Monitor for Updates: Keep track of the package's updates and maintenance activity to avoid potential future issues.
Using Socket you can fully audit your open source code for trivial packages and identify unnecessary dependencies that may be increasing your project’s security risks. Install the free Socket for GitHub app to be notified when you add a new dependency that is a trivial package.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.