github hosted package with shadow npm version is being flagged in our repos as malware #422
Comments
|
Yeah, I got the same for GHSA-3x2r-7cgg-82q2 |
|
Looks to be a similar case with GHSA-gp5q-mxgh-g2wx Nevermind: that one was just lower-case package name-squatting. |
|
We're seeing a similar issue with our repo |
|
I believe I understand because I saw a similar situation. You got the alert now because they kicked off an effort to publish advisories for malware packages yesterday. The actual malware / replacement of package with a no-op packaged may have happened months or even a year ago. |
|
Are there instructions for how to reserve a scope for our organization? I guess someone was able to squat on our @Contrast-Security-Inc scope and publish this package? when I try and create a new organization I get this error: |
|
If someone else has registered it, you either can't use it, or you have to ask npm support. |
|
It seems that we have a similar situation with GHSA-3grw-pj9j-ffqw We used to have a dependency as a GitHub URL in a {
"mapbox-gl-shaders": "mapbox/mapbox-gl-shaders#44b65f8090a74cbb0319664d010b8d8a8a1512b0"
}GitHub Security automation seems to alert because it sees a reference to a package name in which they found malware. The Dependabot alert scanner doesn't know we were using a dependency as a GitHub URL and not an npm package. However, they know there is an npm package with that name that had malware, so they're alerting. |
|
@scottdickerson @LegoCylon @RPCMoritz @martintreurnicht @Straubulous @stepankuzmin thank you for proactively sharing your experience and concern (and thank you @ljharb for chiming in!). On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database, though we do not send Dependabot alerts on them. We found that the majority of those alerts in question (possibly including the one you raised) were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, with the hope a malicious version would be consumed. As Dependabot doesn’t look at project configuration to determine if the packages are coming from a third-party registry, it has been triggering a notification for packages with the same name from the public npm registry. To resolve this issue in the short term, we we paused all Dependabot notifications on malware advisories and will work to determine how to best notify customers of being the target of a substitution attack going forward. If you are the owner of this package, it seems your package was the target of a substitution attack. However, it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry. If you think that this advisory has been created in error, you can reach out to NPM support to clarify! I'm going to close this Issue as there is no further action that we can take, but please reopen a new one if you have another ask! |
We have a package in a private github packages repo called @contrast-security-inc/design-system-foundations.
Somehow a package was also published to NPM
https://www.npmjs.com/package/@contrast-security-inc/design-system-foundations
The NPM team flagged this as containing malware. We've opened a ticket requesting more information about who published this version and how it was determined to be malware and asking if it can be removed.
Our repos that consume this package are now receiving this dependabot alert:
GHSA-fx93-477r-j7xh
Is this a false positive? Our
.npmrcfile indicates that this package is being picked up from our local github packages repo, not the global NPM repo.The text was updated successfully, but these errors were encountered: