Introduction

When developing software, it is expected that its security will be ensured. But you developer, do you care about the safety of your entire project or just the part you develop? Currently, most development ecosystems are composed of third party codes that have the same level of access as your application and are managed by a package manager. This way you should be concerned with the security of third party packages in the same way that you are concerned with the rest of your application.

As most of the time third-party packages have their own dependencies, it generates transitivity that greatly increases the range of the packages, which makes it a great target for malicious users. Recently in a very popular NPM package called event-stream that receives millions of weekly downloads, a malicious package called flatmap-stream was found that was stealing bitcoins. This only shows how dependent we are and we need to be concerned with third party codes.

NodeJs

NodeJs is a server-side runtime environment based on JavaScript. Created in 2009 by Ryan Dahl, NodeJS combined Google’s V8 JavaScript engine, an event loop, and a low-level I/O API. Started small, now an open-source with MIT licence, supported by a massive community and hundreds of add-ons. According to Stack Overflow 2019 survey, Node.js is now the most popular tool in “Frameworks, Libraries, and Tools” category with 50% of answers.

Currently many companies have adopted NodeJS, companies such as: Neflix, Paypal, Linkedin and Uber. According to the survey “Node.js User Survey Report” the main advantages of this technology is : Increased developer productivity, improved developer satisfaction, reduced development costs and increased application performance. On the PayPal engineers blog it is shown that the introduction of Node.js doubled the number of requests that PayPal could process per second and the page response time is 200 ms faster.

The use of NodeJs is increasing more and more, and one of those responsible for this is its ecosystem that consists of an application package, which includes all the language dependencies and also dependencies implemented by third parties that are managed by a package manager like is indicated in Figure 1. The NPM package manager has become the most popular package manager for NodeJS and today is the largest language-specific package repository in the world, according to the website Module Counts in December 2020 the NPM has has more than 1.4 million packages.

Figure 1. The Node.js architecture stack withdrawal from the IBM development blog

This type of ecosystem has great scalability but it can bring risks to the application, since third-party packages need to be installed with your application and have the same level of access as your application as shown in Figure 1 where the application and the NPM contribs are on the same level, in other words, you must trust third party libraries as all code is controlled by the library's creators.

Like many languages, the Javascript language has some weaknesses that can be exploited by malicious users. For example, global variables can be changed and overwritten by any application module, even external libraries.

In September 2020 malware was reported emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a user’s machine called as Fallguys as shown in the Sonatype blog, which shows how a dependency-based attack happens and how serious it can be. In this way we can define attacks based on dependencies in NodeJs as an attack with the objective of invading, manipulating, leaking or damaging an application in NodeJS through third-party packages pre-installed in the application package that exploit language weaknesses