Beware Package Managers

It’s evident that package managers such as npm and nuget are an effective way for hackers to bypass some of the core elements of enterprise security defences. Compromised code can travel undetected through the firewall and passed the virus checker – straight from the internet to the device (e.g. the production server) – fully automated by the development platforms, and without human interaction. From here, the compromised code can potentially access local resources and/or be distributed, by us, to our users via the browser, electronic documents, etc.

The most proactive solution would be to not depend on 3rd party code but instead rely entirely on in-house solutions and build secure development practices around this principle. But if we had to write all the functionality ourselves we would see a dramatic downturn in our ability to add value.

Blacklisting solutions such as snyk and npm audit, much like a virus checker, require prior knowledge of the attack. Ensuring we do not deploy code with known issues by scanning for known vulnerabilities in the CI process is now an obvious first line of defence. Beyond that we should explore additional elements of a blended security approach, such as real time endpoint monitoring and whitelists.

Real time endpoint monitoring

Defining a holistic view of each endpoint and what both normal and out of the ordinary look like doesn’t sound easy but it should be possible to identify modern cyber security products (such as LogRhythm or Heilig Defence) that offer this type of protection.

  • Network monitoring
    • internal communication between servers – IP probing, network drives, database access etc
    • external communication to unexpected 3rd parties
  • Server monitoring
    • a sudden shift in server resource utilisation ram/processor
    • opening and closing network sockets
    • registry access
    • file listings/movement/changes
    • user activity


Manually maintaining a complete whitelist of all nested npm and nuget dependencies is a prohibitive task. (I wouldn’t be surprised to see the appearance of paid whitelisting services in the near future.)

It is entirely plausible to maintain a whitelist of approved root-level packages and/or package maintainers, for example Angular, React, Bootstrap, JQuery or Google, Facebook, Microsoft. It’s a bit like the wild west at the moment and I suggest scheduling a review of the top level packages you are currently knowingly or unknowingly referencing. (This information may be more readily available after integrating with a blacklisting service.)


Introduce a delay between the availability of updated packages and local deployment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.