A security researcher and system administrator has developed a tool that can help users check for obvious incompatibilities in JavaScript NPM software registry packages.

Last week, a former engineering lead at GitHub and NPM, Darcy Clarke, warned against problems of “overt confusion” this could introduce the risk of malware hiding in dependencies or executing scripts during installation.

“Clear confusion” refers to a security issue in the Node Package Manager (NPM), a package manager for the JavaScript programming language and the default one for the Node.js environment.

The issue is related to inconsistent information between a package’s manifest data as displayed in the NPM registry and the data present in the published package’s ‘package.json’ file.

A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.

However, these scripts or dependencies would still be present in the package.json file and would be executed during package installation, without the user being aware of it.

This issue potentially exposes developers to risks such as cache poisoning, installation of unknown dependencies, execution of unknown scripts, and possibly even downgrade attacks.

Since GitHub hasn’t fixed the issue yet and it’s unclear what the platform plans to do, Clarke suggested that package maintainers remove the dependency on manifests and use a registry proxy to perform data consistency checks.

Overt Confusion Checker

Until a solution is implemented, sysadmin Felix Pankratz took out a Python-based tool which can help software developers check NPM packages for inconsistencies.

To use the tool, first install the PIP Python package manager with “pip install -r requirements.txt”.

To inspect a single package, pass the package name to the script as the first argument. For example:

$ ./npm-manifest-check.py darcyclarke-manifest-pkg

The output will highlight any incompatibilities in version, dependencies, scripts, and package name between the manifest and the actual package.json file.

For a package without incompatibility, the output should look like this:

$ ./npm-manifest-check.py color
No mismatch detected for color.

To inspect multiple packages, developers can add them to a ‘packages. list’ (one package per line) and use the wrapper script ‘check_packages.sh’ to check them. The tool will report any mismatches found on each of the checked packages.

To understand all aspects of using the Pankratz tool, check the help command with:

./npm-manifest-check.py -h

Overt confusion is not a widespread or critical problem in the NMP community right now, but ignoring it is not the safe path as threat actors might start using it for chain attacks. ‘supply.