Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Application Security
Feross Aboukhadijeh
January 4, 2024
Happy 2024, folks! Just when we thought we'd seen it all, an npm user named PatrickJS, aka gdi2290, threw us a curveball. He (along with a group of contributors) kicked off the year with a bang, launching a troll campaign that uploaded an npm package aptly named everything
. This package, true to its name, depends on every other public npm package, creating millions of transitive dependencies.
The everything
package and its 3,000+ sub-packages have caused a Denial of Service (DOS) for anyone who installs it. We're talking about storage space running out and system resource exhaustion.
But that's not all. The creator took their prank to the next level by setting up http://everything.npm.lol, showcasing the chaos they unleashed. They even included a meme from Skyrim, adding some humor (or mockery, depending on your perspective) to the situation.
everything
's package.json
file{
"name": "everything",
"version": "3.0.0",
"description": "npm install everything",
"main": "index.js",
"contributors": [
"PatrickJS <github@patrickjs.com>",
"uncenter <hi@uncenter.dev>",
"ChatGPT <chatgpt@openai.com>",
"trash <trash@trash.dev>",
"Hacksore <sean@boult.me>"
],
"scripts": {},
"keywords": [
"everything",
"allthethings",
"everymodule"
],
"license": "MIT",
"homepage": "https://github.com/everything-registry/everything",
"repository": {
"type": "git",
"url": "git+https://github.com/everything-registry/everything.git"
},
"dependencies": {
"@everything-registry/chunk-0": "0.1.0",
"@everything-registry/chunk-1": "0.1.0",
"@everything-registry/chunk-2": "0.1.0",
"@everything-registry/chunk-3": "0.1.0",
"@everything-registry/chunk-4": "0.1.0"
}
}
This isn't the first time we've seen such a stunt. Last year, the no-one-left-behind
package by Zalastax attempted something similar. It was removed, but then reemerged under a different scope with over 33,000 sub-packages. It's like playing whack-a-mole with npm packages!
It’s also reminiscent of a package called “hoarders” that used to directly depend on every module on npm (approximately 20,000 in 2012). It was published by software engineer Josh Holbrook, created to be “node.js's most complete utility grab bag.”
In an effort to maintain a secure and reliable ecosystem for JavaScript developers, hoarders was effectively “cancelled” by Isaac Schlueter (creator of the npm package manager) after a year, due to the strain it caused on the registry's database.
The "everything" package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm's policy shift following the infamous "left-pad" incident in 2016, where a popular package left-pad
was removed, grinding development to a halt across much of the developer world. In response, npm tightened its rules around unpublishing, specifically preventing the unpublishing of any package that is used by another package.
Ironically, this policy trapped PatrickJS in his own web. Upon realizing the impact of his prank, he attempted to remove the everything
package but was unable to do so. He reached out to the npm support team for help, but the damage was done.
PatrickJS wrote this apology on GitHub in a since-removed GitHub issue:
Hi all! First, just want to apologize about any difficulties this package has caused. We are working to resolve the issues and we have contacted NPM regarding support with this matter (see below). We appreciate your patience.
The major issue here is that when a package depends on another package at a specific version, that version cannot be unpublished. We've since realized there is an issue with "star" versions - a.k.a depending on any/all versions of another package ( "package-xyz": "*" ) - any version of that package is now unable to unpublish. As I previously mentioned, we've reached out to npm and are hoping they can either A) allow folks to unpublish when the packages that depend on them use a "star" version, B) not permit star versions in published packages going forward, or as a last resort, C) remove our npm organization entirely (and remove all of the packages that are blocking unpublishing). As far as we can tell, there is simply nothing we can do on our own - we can't unpublish the packages ourselves (because other packages depend on them) and publishing a new version over them doesn't change anything.
However, we now see that while everything
remains on the registry, the @everything-registry
scoped packages have been made private, potentially offering a resolution.
This whole saga is more than just a digital prank. It highlights the ongoing challenges in package management within the npm ecosystem. For developers, it's a reminder of the cascading effects of dependencies and the importance of mindful package creation, maintenance, and consumption.
As we navigate the open source world, incidents like the everything
package remind us of the delicate balance between freedom and responsibility in open-source software.
Install Socket for GitHub to stay secure this year, and let's see what the rest of 2024 has in store for us!
h/t Ax Sharma
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.