Socket Unveils Safe npm CLI Tool for Preventing Malware
npm Install: A Dangerous Command
According to Socket, npm install is the most dangerous command that developers execute every day. Even a single installed package can have, on average, 79 transitive dependencies, and further dependencies come with significant risk factors as they can harbor malware, including keyloggers, crypto-miners, and spying software.
In many cases, the malware is installed automatically without the developer even being aware of it. A bad actor can upload packages with similar names to those of widely-used libraries on npm to execute typo-squatting attacks.
Socket’s Answer to the Problem
Socket’s new tool, safe npm, is a wrapper for npm and npx commands intended to mitigate the dangers of npm install. If it identifies a potentially harmful package, it can pause the installation process and alert developers of the risks. The tool evaluates the risk based on three building blocks: static analysis, metadata analysis, and maintainer behavior. It uses an engine developed by Socket for static analysis that analyzes source code without executing it, looking for potential supply chain attacks.
Maintainer behavior and metadata analysis also contribute to the evaluation process. For instance, packages without maintainers or with recent major refactorings stand out, as does metadata such as detecting the typo-squatting.
Installation and Use
To use Safe npm, developers must first install the preview socket CLI tool by running:
npm install -g @socketsecurity/cli
Once installed, they can use socket npm install, which incorporates the secure features. The Safe npm feature is included from CLI version 0.5.1. Developers can verify the installation’s version by running socket –version.
To avoid having to use socket npm in existing code, the development team recommends using a shell alias in .bashrc or .zshrc:
alias npm=”socket-npm” alias npx=”socket-npx”
The new release of Safe npm can bypass vulnerabilities with default socket.yml settings. Developers can contribute to the Socket CLI tool on GitHub. There is also a similar tool for the Python ecosystem known as Safe Pip, which is already up for debate as a feature request.
Socket’s Safe npm has come to tackle the vulnerabilities and security risks inherent in using npm. By wrapping npm install, Socket’s CLI tool aims to protect users from the most frequently used attack techniques. Safe npm will undoubtedly be a valuable addition to the security stack of developers who use npm.