Yesterday, Darcy Clarke, a software developer and former npm CLI team Engineering Manager, steered everyone’s attention toward a gap in the npm registry website – what he calls “manifest confusion.”

What Is Manifest Confusion?

As Clarke details in his blog post, an npm package’s manifest is published on npmjs.com independently from the actual contents of its tarball, as first reported by The Register. Since the manifest and package are decoupled, this creates “confusion” by those using the package, when the dependencies and manifest are vastly different than expected.

As a succinct example, Clarke created a proof-of-concept npm package called `darcyclarke-manifest-pkg` that, according to the npmjs.com website, has zero dependencies and no license information listed:

But a quick look inside the (real) manifest file, package.json, bundled within the package reveals otherwise:

Upon installation, `darcyclarke-manifest-pkg` will clearly pull in the ‘sleepover’ dependency – also created by Clarke, and the package is in fact ISC-licensed.

Furthermore, we see that the package calls itself ‘express’ as apparent from the first line, and has a version (3.0.0) listed that differs from the actual version we analyze (2.1.x).

Clarke’s dummy package also runs an “install” script – something yet again not revealed on the npm website, that demonstrates potentially malicious behavior that a threat actor can leverage, as we have seen time and time again.

Why Does npm Manifest Confusion Matter?

Manifest confusion becomes problematic in development environments without effective DevSecOps workflows and tooling in place, especially when applications blindly trust application manifests rather than the actual (vulnerable or malicious) files contained within open source packages, increasing manifest confusion.

Some security tools, for example, may choose to fetch and display information as provided on the npmjs.com website, as is, thereby misleading developers into (Read more...)