Ever since the Web development ecosystem evolved to the current paradigm of code reuse, companies have placed themselves too close to the abyss. Web supply chain attacks are a real security threat – and one which the enterprise is vastly unprepared for.
The security threats of relying on third-party code are mostly known within the scope of Magecart attacks – which consist of attackers injecting malicious code in third-party scripts to skim credit card details of E-Commerce shoppers. While Magecart is still a growing threat and deserves consideration on its own, too little attention is paid to a very different type of third-party code: npm packages.
Too many dependencies, too large an attack surface
NPM itself tells us that the average web app today contains over 1,000 code dependencies, with some breaching the 2,000 mark. Security-wise, each of these pieces of third-party code can actually serve as an attack vector to inject malicious code into applications. A recent study by Markus Zimmermann et al. provided much-needed insight into just how serious a security threat this practice of reusing code poses to the industry as a whole.
To frame why these threats actually exist in the first place, this team of researchers pinpoints some characteristics of the npm ecosystem, one of which is the abnormally large incidence of code reuse when compared to other ecosystems – which I mentioned above. Apart from this, two other characteristics play an important role: the accented use of micropackages and the lack of privilege separation.
The reliance on micropackages is especially releva ..