Socket Unveils Safe npm CLI Tool for Preventing Malware
Socket, a security software company, has launched its new CLI tool, safe npm, to improve security when using the popular Javascript package manager, npm. Safe npm is an open-source tool that wraps the npm install command and can detect and pause the installation process for up to 11 different types of attacks, including malware, typo-squatting, script installation, protest-ware, and telemetry.
npm Install: A Dangerous Command
According to Socket, npm install is the most dangerous command that developers execute every day. Even a single installed package can have, on average, 79 transitive dependencies, and further dependencies come with significant risk factors as they can harbor malware, including keyloggers, crypto-miners, and spying software.
In many cases, the malware is installed automatically without the developer even being aware of it. A bad actor can upload packages with similar names to those of widely-used libraries on npm to execute typo-squatting attacks.
Socket’s Answer to the Problem
Socket’s new tool, safe npm, is a wrapper for npm and npx commands intended to mitigate the dangers of npm install. If it identifies a potentially harmful package, it can pause the installation process and alert developers of the risks. The tool evaluates the risk based on three building blocks: static analysis, metadata analysis, and maintainer behavior. It uses an engine developed by Socket for static analysis that analyzes source code without executing it, looking for potential supply chain attacks.
Maintainer behavior and metadata analysis also contribute to the evaluation process. For instance, packages without maintainers or with recent major refactorings stand out, as does metadata such as detecting the typo-squatting.
Installation and Use
To use Safe npm, developers must first install the preview socket CLI tool by running:
npm install -g @socketsecurity/cli
Once installed, they can use socket npm install, which incorporates the secure features. The Safe npm feature is included from CLI version 0.5.1. Developers can verify the installation’s version by running socket –version.
To avoid having to use socket npm in existing code, the development team recommends using a shell alias in .bashrc or .zshrc:
alias npm=”socket-npm” alias npx=”socket-npx”
The new release of Safe npm can bypass vulnerabilities with default socket.yml settings. Developers can contribute to the Socket CLI tool on GitHub. There is also a similar tool for the Python ecosystem known as Safe Pip, which is already up for debate as a feature request.
Conclusion
Socket’s Safe npm has come to tackle the vulnerabilities and security risks inherent in using npm. By wrapping npm install, Socket’s CLI tool aims to protect users from the most frequently used attack techniques. Safe npm will undoubtedly be a valuable addition to the security stack of developers who use npm.
