Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
npm bin script confusion: Abusing ‘bin’ to hijack ‘node’ command
Socket - Mikola LysenkoPosted 3 Years Ago- Supply chain attacks are very common within package managers, such as node package manager (npm). Malware commonly uses the npm scripts, such as
postinstall,preinstalland other methods. In order to protect yourself, npm has a flag called--ignore-scripts. This article goes into bypassing this protection. - An npm package can export executable files which can easily be ran. Then, the path for this execution is added to the global
$PATHvariable when executing npm scripts. This is used through environments like typescript, webpack and other things. - So, this begs the question: "what if an attacker attached their own binary to export node or npm?" It turns out, that this is completely possible! This bypasses the
--ignore-scriptson installation since the binary has nothing to do with the install scripts. - The package.json file simply has the field
binset tonpmandnodewith a bash script to run the custom code. npm promptly fixed this vulnerability but the author claims that there are likely other variants of this out there. Additionally, it doesn't look like any package was using this in a malicious way at the moment, - Overall, it's a really good post with a simple bug. If you're looking to find yourself a CVE, this seems ripe for the picking.
