Supply Chain Software Security News

"Node.js Users Vulnerable to Manifest Confusion Attack: Malware Threat Looms"

The npm registry for Node.js is vulnerable to a manifest confusion attack, allowing threat actors to hide malware in project dependencies or execute arbitrary scripts during installation. The issue arises from the decoupling of the manifest and package metadata, leading to unexpected behavior and misuse. This loophole can be exploited to publish modules with hidden dependencies and run install scripts, potentially leading to supply chain attacks. Users are advised to scan packages for anomalies and exploits, as relying solely on metadata is insufficient. GitHub is aware of the problem but has yet to resolve it. Insecure dependencies were also found in a study of GitHub repositories, highlighting the ongoing threat to software supply chains.