What are Weak Links in the npm Supply Chain?

TL;DR

This study analyzes npm package metadata to identify security weak links, proposing six signals of vulnerability, validating them through case studies and developer feedback, to enhance supply chain security.

Contribution

It introduces six empirically derived weak link signals in npm packages, validated with real data and developer input, to predict and prevent supply chain attacks.

Findings

Identified 11 malicious packages via install script signals

Found 2,818 maintainer emails with expired domains, risking hijacking

Majority of developers support weak link signals and want early notifications

Abstract

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata. In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.