How To Secure NPM Packages From Getting Hacked?

How to secure npm packages from getting hacked

In the web development world, using and sharing reusable build-blocks is a common thing. With NPM, adding new open source packages to application is simple and more accessible than ever. There are 1.5  million packages available in the npm registry and up to 90% of the code in modern apps is open source code developed by others. With such a huge number of npm packages it is obvious that hackers can attack with malicious intent. And nowadays lots of developers are claiming that npm packages are getting hacked. So here we came with some best practices for npm package security. Let’s have a look.

Top 7 Best Practices For NPM Security-

NPM logo

1. Use NPM Author Tokens-

When you log in with npm CLI, token is generated for your user and authenticates you to the npm registry. Token eases npm registry related actions during CI and automated procedures like accessing private modules on registry or publishing new versions from build step. Tokens can be managed via npm registry website and using npm command line client. Let’s have a look at the example of using CLI to create read-only token which is restricted to a particular IPv4 address range-

$ npm token create --read-only --cidr=

So as to verify which tokens are generated for user or to revoke tokens for emergencies, you can use npm token list or npm token revoke resp. You must check that you are following this npm security best practices by protecting and minimizing the exposure of npm tokens.

2. Enable A Dependency Firewall To Block Packages At The Door-

Being notified is vital, however most of the time it’s far better to block the awful packages at the entryway. It is recommended to set up a code supply chain which restricts packages from being added to your private registries if they have not been scanned, are insecure or contain specific restrictive licenses.

3. Use Local NPM Proxy-

Npm registry is the largest collection of packages available for all Javascript programmers and is also the home of most Open source projects for web developers. But, sometimes you may have various requirements as far as security, deployments or performance. When it’s true, npm enables you to switch to a different registry:

When you run npm install, automatically it starts a communication with main registry to resolve all dependencies; if you want to use different registry, it also simple-

  • Set npm set registry to set up default registry.
  • Use argument –registry for single registry

Verdaccio registry is a simple lightweight zero-config-required and installing it is also simple with –

$ npm install --global verdaccio

Hosting own registry was never simple. Let’s have a look at most important features of this tool:

  • It supports npm registry format including private package features, package access control, scope support and authenticated users in the web interface.
  • It gives abilities to hook remote registries and the ability to route every dependency to various registries and caching tarballs. You should proxy all dependencies so as to reduce number of duplicate downloads and save bandwidth in local development and CI servers.
  • If project is Docker based, then use of official image will be the best choice
  • As an authentication provider by default, it makes use of htpasswd security, and also supports Gitlab, LDAP, Bitbucket. 
  • It is easy to scale using various storage provider.

It is easy to run:

$ verdaccio --config /path/config --listen 5000

If you’re using verdaccio for a local private library, consider having a configuration for your packages to uphold publishing to the local registry and avoid accidental publishing by developers to a public registry. To accomplish this add the following to package.json:

“publishConfig”: {
  “registry”: "https://localhost:5000"

To publish a package, use the npm command npm publish.

4. Ignore run-scripts To Reduce Attack Surfaces-

Npm CLI works with package run-scripts. If you’ve ever run start or npm test, you’ve used package run-scripts also. Npm CLI builds on scripts which a package can declare and allows packages to define scripts to run at particular entry points during the package’s installation. For instance, some script hook entries may be postinstall scripts that a package that is being installed will execute so as to perform housekeeping tasks.

Due to this capability, bad actors may create or modify packages to perform malicious actions because of running any arbitrary command when the package is installed. A few situations where this is a popular eslint-scope incident that harvested npm tokens, and the crossenv incident, with 36 other packages that abused a typosquatting attack on the npm registry.

Apply npm security best practices so as to reduce the malicious module attack surface:

  • While installing packages, ensure to add the –ignore-scripts suffix to disable the execution of any scripts by third-party packages.
  • Hold-off on upgrading blindly to new version, sometimes allow new package versions to circulate before trying.
  • Before you upgrade, ensure to review changelog and release notes for upgraded version.

5. Enforce The Lockfile-

During dependency installation both Npm and Yarn act similarly. When it detects inconsistency between project’s package.json and lockfile, they compensate for changes based on package.json manifest by installing various versions that were recorded in lockfile. Such situations can be risky for build and production environments as they could pull in unintended package versions and render the whole advantage of a lockfile pointless.

There is a way to tell both Yarn and npm to stick to a particular set of dependencies and their versions by referencing them from lockfile. The command line should read as- 

  • If you’re using Yarn, run yarn install –frozen-lockfile.
  • If you’re using npm run npm ci.

6. Keep Tokens And Passwords Secure –

It is better to centralize the token management, If you publish packages to a public repository. Stay away from the risk and hassle of distributing the token to all programmers. Keep away from coincidental exposure of sensitive credentials. Regardless of npm has added features to detect secrets, be habitual to update ignore files.

7. Enable 2FA-

Enabling 2FA is an easy and important win for npm security best practices. Registry supports two modes to enable 2FA in user’s account:

  • Authorization and write-mode- profile and log-in actions, as well as write actions like managing tokens and packages and minor support for team and package visibility information.
  • Authorization-only- When user log in to npm through a website or CLI or performs actions like changing profile information

Simple way to get started with 2FA extended protection for an account is with npm’s user interface, which enables it easily. If you’re proficient in command line, it will be easy to enable 2FA when using supported npm client version (>=5.5.1):

$ npm profile enable-2fa auth-and-writes

Follow, command line instructions to enable 2FA and save emergency authentication codes. If you want to enable 2FA mode for only login and profile changes, you might replace the auth-and writes with auth-only in the code as directed above.

Wrap Up-

As lots of developers claim that NPM packages are getting hacked, it becomes important to secure NPM packages in your project. If you’re also facing issues of getting hacked NPM packages, then these NPM security best practices are there to help you. If you’re planning to use Node.js, javascript for your next project, consult with Solace experts. We are here to help you through consultation and development. You can also hire Javascript developers, Node.js developers of Solace Infotech for an effective development with secured NPM. Connect with Solace and get a free quote for software development. We will be happy to help you.

Related Post