Small World with High Risks: A Study of Security Threats in the npm Ecosystem
The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages. Unfortunately, this open nature also causes security risks, a...
Gespeichert in:
| Hauptverfasser: | , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Zimmermann, Markus Staicu, Cristian-Alexandru Tenny, Cam Pradel, Michael |
| description | The popularity of JavaScript has lead to a large ecosystem of third-party
packages available via the npm software package registry. The open nature of
npm has boosted its growth, providing over 800,000 free and reusable software
packages. Unfortunately, this open nature also causes security risks, as
evidenced by recent incidents of single packages that broke or attacked
software running on millions of computers. This paper studies security risks
for users of npm by systematically analyzing dependencies between packages, the
maintainers responsible for these packages, and publicly reported security
issues. Studying the potential for running vulnerable or malicious code due to
third-party dependencies, we find that individual packages could impact large
parts of the entire ecosystem. Moreover, a very small number of maintainer
accounts could be used to inject malicious code into the majority of all
packages, a problem that has been increasing over time. Studying the potential
for accidentally using vulnerable code, we find that lack of maintenance causes
many packages to depend on vulnerable code, even years after a vulnerability
has become public. Our results provide evidence that npm suffers from single
points of failure and that unmaintained packages threaten large code bases. We
discuss several mitigation techniques, such as trusted maintainers and total
first-party security, and analyze their potential effectiveness. |
| doi_str_mv | 10.48550/arxiv.1902.09217 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1902_09217</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1902_09217</sourcerecordid><originalsourceid>FETCH-LOGICAL-a677-f708d691d84014b58abe53dd1594406c2078d5e13081e71fbff34f30f003ebb23</originalsourceid><addsrcrecordid>eNotz0FLwzAYgOFcPMj0B3jy-wOtX5qkSb2NMZ0wEWzBY0mbxAbbdSSZ2n8vTk_v7YWHkBuKOVdC4J0O3_4zpxUWOVYFlZfkuZ70OMLbHEYDXz4NsPPvA7z6-BHvYQ11OpkFZge17U_BpwWaIVidIvgDpMHC4TjBtp_jEpOdrsiF02O01_9dkeZh22x22f7l8Wmz3me6lDJzEpUpK2oUR8o7oXRnBTOGiopzLPsCpTLCUoaKWkld5xzjjqFDZLbrCrYit3_bs6c9Bj_psLS_rvbsYj9ft0cN</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Small World with High Risks: A Study of Security Threats in the npm Ecosystem</title><source>arXiv.org</source><creator>Zimmermann, Markus ; Staicu, Cristian-Alexandru ; Tenny, Cam ; Pradel, Michael</creator><creatorcontrib>Zimmermann, Markus ; Staicu, Cristian-Alexandru ; Tenny, Cam ; Pradel, Michael</creatorcontrib><description>The popularity of JavaScript has lead to a large ecosystem of third-party
packages available via the npm software package registry. The open nature of
npm has boosted its growth, providing over 800,000 free and reusable software
packages. Unfortunately, this open nature also causes security risks, as
evidenced by recent incidents of single packages that broke or attacked
software running on millions of computers. This paper studies security risks
for users of npm by systematically analyzing dependencies between packages, the
maintainers responsible for these packages, and publicly reported security
issues. Studying the potential for running vulnerable or malicious code due to
third-party dependencies, we find that individual packages could impact large
parts of the entire ecosystem. Moreover, a very small number of maintainer
accounts could be used to inject malicious code into the majority of all
packages, a problem that has been increasing over time. Studying the potential
for accidentally using vulnerable code, we find that lack of maintenance causes
many packages to depend on vulnerable code, even years after a vulnerability
has become public. Our results provide evidence that npm suffers from single
points of failure and that unmaintained packages threaten large code bases. We
discuss several mitigation techniques, such as trusted maintainers and total
first-party security, and analyze their potential effectiveness.</description><identifier>DOI: 10.48550/arxiv.1902.09217</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2019-02</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,777,882</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1902.09217$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1902.09217$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Zimmermann, Markus</creatorcontrib><creatorcontrib>Staicu, Cristian-Alexandru</creatorcontrib><creatorcontrib>Tenny, Cam</creatorcontrib><creatorcontrib>Pradel, Michael</creatorcontrib><title>Small World with High Risks: A Study of Security Threats in the npm Ecosystem</title><description>The popularity of JavaScript has lead to a large ecosystem of third-party
packages available via the npm software package registry. The open nature of
npm has boosted its growth, providing over 800,000 free and reusable software
packages. Unfortunately, this open nature also causes security risks, as
evidenced by recent incidents of single packages that broke or attacked
software running on millions of computers. This paper studies security risks
for users of npm by systematically analyzing dependencies between packages, the
maintainers responsible for these packages, and publicly reported security
issues. Studying the potential for running vulnerable or malicious code due to
third-party dependencies, we find that individual packages could impact large
parts of the entire ecosystem. Moreover, a very small number of maintainer
accounts could be used to inject malicious code into the majority of all
packages, a problem that has been increasing over time. Studying the potential
for accidentally using vulnerable code, we find that lack of maintenance causes
many packages to depend on vulnerable code, even years after a vulnerability
has become public. Our results provide evidence that npm suffers from single
points of failure and that unmaintained packages threaten large code bases. We
discuss several mitigation techniques, such as trusted maintainers and total
first-party security, and analyze their potential effectiveness.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotz0FLwzAYgOFcPMj0B3jy-wOtX5qkSb2NMZ0wEWzBY0mbxAbbdSSZ2n8vTk_v7YWHkBuKOVdC4J0O3_4zpxUWOVYFlZfkuZ70OMLbHEYDXz4NsPPvA7z6-BHvYQ11OpkFZge17U_BpwWaIVidIvgDpMHC4TjBtp_jEpOdrsiF02O01_9dkeZh22x22f7l8Wmz3me6lDJzEpUpK2oUR8o7oXRnBTOGiopzLPsCpTLCUoaKWkld5xzjjqFDZLbrCrYit3_bs6c9Bj_psLS_rvbsYj9ft0cN</recordid><startdate>20190225</startdate><enddate>20190225</enddate><creator>Zimmermann, Markus</creator><creator>Staicu, Cristian-Alexandru</creator><creator>Tenny, Cam</creator><creator>Pradel, Michael</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190225</creationdate><title>Small World with High Risks: A Study of Security Threats in the npm Ecosystem</title><author>Zimmermann, Markus ; Staicu, Cristian-Alexandru ; Tenny, Cam ; Pradel, Michael</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a677-f708d691d84014b58abe53dd1594406c2078d5e13081e71fbff34f30f003ebb23</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Zimmermann, Markus</creatorcontrib><creatorcontrib>Staicu, Cristian-Alexandru</creatorcontrib><creatorcontrib>Tenny, Cam</creatorcontrib><creatorcontrib>Pradel, Michael</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Zimmermann, Markus</au><au>Staicu, Cristian-Alexandru</au><au>Tenny, Cam</au><au>Pradel, Michael</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Small World with High Risks: A Study of Security Threats in the npm Ecosystem</atitle><date>2019-02-25</date><risdate>2019</risdate><abstract>The popularity of JavaScript has lead to a large ecosystem of third-party
packages available via the npm software package registry. The open nature of
npm has boosted its growth, providing over 800,000 free and reusable software
packages. Unfortunately, this open nature also causes security risks, as
evidenced by recent incidents of single packages that broke or attacked
software running on millions of computers. This paper studies security risks
for users of npm by systematically analyzing dependencies between packages, the
maintainers responsible for these packages, and publicly reported security
issues. Studying the potential for running vulnerable or malicious code due to
third-party dependencies, we find that individual packages could impact large
parts of the entire ecosystem. Moreover, a very small number of maintainer
accounts could be used to inject malicious code into the majority of all
packages, a problem that has been increasing over time. Studying the potential
for accidentally using vulnerable code, we find that lack of maintenance causes
many packages to depend on vulnerable code, even years after a vulnerability
has become public. Our results provide evidence that npm suffers from single
points of failure and that unmaintained packages threaten large code bases. We
discuss several mitigation techniques, such as trusted maintainers and total
first-party security, and analyze their potential effectiveness.</abstract><doi>10.48550/arxiv.1902.09217</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.1902.09217 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_1902_09217 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security |
| title | Small World with High Risks: A Study of Security Threats in the npm Ecosystem |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-18T03%3A05%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Small%20World%20with%20High%20Risks:%20A%20Study%20of%20Security%20Threats%20in%20the%20npm%20Ecosystem&rft.au=Zimmermann,%20Markus&rft.date=2019-02-25&rft_id=info:doi/10.48550/arxiv.1902.09217&rft_dat=%3Carxiv_GOX%3E1902_09217%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |