"NPM Plagued With 'Manifest Confusion' Malware-Hiding Weakness"

A former GitHub employee claims that a vulnerability in Node Package Manager (npm) could enable anyone to hide malicious dependencies and scripts within their packages. Npm, owned by GitHub, is used for sharing JavaScript code among over 17 million developers. In a June 27 blog post, Darcy Clarke, the former staff engineering manager for npm's command line interface team, described a site flaw he called "manifest confusion." The "confusion" stems from the fact that npm does not validate the metadata associated with a given package, allowing any publisher to hide certain information about their packages, such as the scripts it executes and the dependencies on which it relies. In recent months, an increasing number of hackers have devised novel methods to poison packages and spread malware along the code supply chain, putting pressure on npm and other similar repositories. This article continues to discuss the manifest confusion weakness in npm. 

Dark Reading reports "NPM Plagued With 'Manifest Confusion' Malware-Hiding Weakness"